Risk Appetite vs Risk Tolerance

Published December 20, 2018 by 4 min read

Although often used interchangeably, risk appetite and risk tolerance distinguish themselves from one another in a nuanced way. While most regulations and standards focus on the risk management process, few clearly define the differences between these terms in a meaningful way. However, to create an effective cybersecurity program, you need to be able to separate risk appetite from risk tolerance so that you can develop appropriate controls to protect data.

Risk Appetite and Risk Tolerance: What’s the Difference?

What is risk appetite?

If you’re taking an enterprise risk management (ERM) approach to cybersecurity, your risk appetite focuses on the type of risk and amount of risk you deem acceptable based on your business objectives and resources.

For example, if you’re currently a payment processing organization, you might be focused in retail. However, as part of your ERM, you might be looking to move into the healthcare industry.  If, as part of ERM, you determine that you want to accept the legal risks arising out of the Healthcare Portability and Accountability Act (HIPAA), then you’ve set your risk appetite.

Just like with physical hunger, you’re hungry to scale your business. In the same way, you have an “appetite” that needs to be satisfied.

What is risk tolerance?

On the other hand, risk tolerance is how you determine the level of risk you’re willing to accept.

Back to the payment processing example, you might decide that you’re willing to accept the risk of moving into healthcare, but you may not be willing to accept all the risks inherent in continuously monitoring for protected health information. Therefore, you decide to transfer that risk to a third-party vendor.

When you’re hungry for a steak dinner, you may not finish the whole thing because you reached your tolerance point. The same is also true for cybersecurity risks.

What is a risk appetite statement?

A risk appetite statement is a written document, often incorporate as part of public financial reports, that explains your risk decisions. This statement allows you to inform internal and external stakeholder of your risk appetite and then begins more meaningful conversations to drive strategic objectives.

How to create a risk appetite statement

In 2018, the International Organization for Standardization (ISO) updated the risk management guidelines in the ISO 31000 standard. Although ISO 31000 never uses the term “risk appetite,” it implies the term under “establishing the amount and type of risk that may or may not be taken.”

While ISO 31000 creates a risk management framework that enables you to create a risk appetite statement, it also formalizes the risk management process. By putting the framework and process together, you can create an appropriate risk appetite statement.

Step 1: Commitment and Communication

Discuss the business strategies and objectives with leadership to ensure that you not only know how much risk you want to take on but also whether that risk meets the overarching organizational goals. By communicating across the enterprise, you can incorporate the needed views for defining risk criteria and create ownership. This allows you to establish your risk appetite and make sure all stakeholders buy into the process.

Step 2: Define Scope, Context, and Criteria to Integrate Throughout the Organization

As part of integrated risk management (IRM), the next step beyond ERM, you need to determine where you are in the overall supply chain and then ensure you review across your ecosystem. By looking at the internal and external risk factors, you can define the acceptable amount of risk and evaluation criteria.

Step 3: Design the Risk Assessment

By communicating your risk management commitment specific to your place in the supply chain, you can identify, describe, and analyze your risks. Once you’ve done that, you use the likelihood, potential events, controls, and control effectiveness to see if the risk levels align to your risk tolerance. If something a risk comes with too much variation, you may want to refuse to accept it.

Step 4: Implement a Risk Treatment

Implementation focuses on creating a plan with deadlines to identify the decisions and reasons for them. However, part of that implementation incorporates selecting the ways you want to handle the risks. You can choose to accept, refuse, mitigate, or accept the risk. As part of that, you need to design a treatment plan that implements these decisions.

Step 5: Evaluate Through Monitoring

As part of your risk appetite statement, you also need to determine whether you’re going to use a qualitative, quantitative, or combined evaluation process. You need to set metrics then continuously monitor your data environment and ecosystem to ensure compliance with your internal risk assessment.

Step 6: Make Improvements Based on Records and Reports

Continuous monitoring can uncover weaknesses in your control environment. Communicating those weaknesses and then improving your risk monitoring activities allows you to maintain a robust risk management program.

Step 7: Summarize Outcomes For Release

You use your risk appetite statement to foster communication with internal and external stakeholders. However, most risk appetite statements are for public consumption, such as financial reporting. Therefore, you need to summarize the decision making process and outcomes in a way that protects your organization while also revealing your commitment to the process.

How ZenGRC Enables the Risk Management Process

Creating a risk appetite statement requires internal communications across a variety of stakeholders. As such, you need to creat an efficient workflow that eases the burden of coordinating communication and task management.

ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can maintain records – up until the time you need to dispose of them.

With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in cyber risk management.

Finally, with our audit trail capabilities, you can document all of your risk appetite and risk tolerance decisions so auditors can easily review your risk management program.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo