Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Whether you’re launching a new product, opening a factory, or storing sensitive data, you can practically count on risks appearing. Just in 2023, there were more than 20,000 cases of compromised business email scams. To navigate this cybersecurity “minefield,” it’s essential to find the right balance of risk appetite vs. risk tolerance.
Some business professionals think that the terms risk appetite and risk tolerance are interchangeable, but that’s not accurate. These expressions sound similar but deal with different concepts.
When creating a framework for risk awareness, it’s necessary to define your company’s posture for both risk appetite and risk tolerance. Having a clear policy for each element helps stakeholders make decisions that harmonize with your organization’s goals and cybersecurity needs.
Risk appetite is the total amount of risk your organization is comfortable accepting. This boundary determines at what point you take action to lower the level of risk.
To understand risk appetite better, think about your lunch habits. Are you the type of person who holds off eating until you finish tasks, or do you get your lunch at noon exactly?
If feeling your stomach growl doesn’t bother you, it’s like having a high risk appetite. Waiting until 2:00 p.m. to grab something isn’t a big deal.
A lower risk appetite is like someone who needs to eat lunch ASAP. Taking action to calm the “hunger” is a priority.
The risk appetite of a business often varies by industry. Here are a few clues for your business:
An insurer with a high risk appetite might look at a Florida coastal property and agree to write a policy as long as the premiums are high enough to justify the risk. Insurers with a lower risk appetite would either refuse to offer coverage or require homeowners to take risk-mitigating measures, such as installing hurricane shutters or accepting a high deductible.
Risk tolerance is the level of deviation from your risk appetite threshold that you’re willing to accept in order to achieve your goals. In other words, risk tolerance kicks in after you’ve hit your upper limit for risk, giving your business the flexibility to make a go/no-go judgment call.
If we use the same example of lunch times, risk tolerance would be like making an exception with your normal 12 o’clock-on-the-dot lunch schedule because of something unexpected, like a flash sale. You’re hungry, but you really want to buy that TV before it sells out, so you push yourself.
Companies are often willing to do the same if it means successfully completing a project or reaching a milestone. Even though the project has hit the agreed-upon risk appetite limits, your team decides to keep going. How long and how far will you push? That’s where your risk tolerance comes in.
Some examples of risk tolerance in business include:
Even if threats and vulnerabilities technically violate your organization’s stated policies, risk tolerance allows for some leeway. It’s the same decision racecar drivers have to make when they’re nearing the final lap but need a pit stop. Is the reward of potentially winning the race worth risking a blown-out tire? It probably depends on how close to failure the tires really are.
Risk appetite and risk tolerance are closely related, so don’t be surprised when both terms pop up as part of risk management. They commonly appear as percentages. The way you calculate and use these numbers is different, however.
Risk appetite is a statement of your organization’s approach to risk. As such, it applies to every product, investment, asset, and project your company touches.
Risk tolerance has a smaller scale. Companies use it mainly for precise, short-term decisions, such as new products, projects, or technology investments.
Defining risk appetite is the responsibility of a company’s executives or board (or the GRC team). After performing a risk analysis, many companies add a risk appetite statement to organizational policies.
On the other hand, enterprises often allow managers some leeway to make go/no-go decisions on risk tolerance personally, especially production managers, department heads, and team leaders. IT managers may have the authority to decide how to respond to denial-of-service attacks, weighing customer convenience with the need to protect the organization’s network.
Risk appetite enters into the picture before any mitigating strategies apply. Risk tolerance decisions are made after taking steps to reduce risk. The progression looks like this:
As this example shows, risk tolerance is also much more flexible than risk appetite. If market conditions change, and the product’s profit margins drop, reevaluating the risk tolerance is likely to lead to a different decision.
Every business approaches risk appetite and risk tolerance decisions differently based on compliance factors and cybersecurity maturity. Compliance platforms like Compyl can help you adopt and implement organization-wide frameworks for enterprise risk management. Control your organization’s risks like never before.
