In formulating strategies and/or operating plans, an enterprise must decide to take on some level of risk to achieve its objectives.
An amount or magnitude of risk is generally expressed as risk appetite and risk tolerance.
Although these terms are used frequently, the potential for misunderstanding is high. Some people use the concepts interchangeably, others see a clear difference. The Risk IT framework definitions are compatible with COSO ERM161 and ISO 31000172 definitions:
Risk appetite—The broad-based amount of risk an enterprise or other entity is willing to accept in pursuit of its mission (or vision)
Risk tolerance—The acceptable range relative to the achievement of a given objective (best when quantified in terms of in the same unit measure as the related objective)
Risk Appetite
Risk appetite reflects the amount of risk an entity is prepared to accept in order to achieve its objectives. When considering risk appetite levels for the enterprise, three major factors are important:
The objective capacity of the enterprise to absorb loss—e.g., financial loss or damage to reputation
The (management) culture or predisposition towards risk taking—e.g., cautious or aggressive. What amount or magnitude of loss will the enterprise accept to pursue its strategy or objectives?
The nature of the business and the type of risk involved—e.g., the failure of a conveyor belt in a candy factory vs. the failure of a flight-control system on a commercial airliner
Risk appetite is different in each enterprise—there is no absolute norm or standard of what constitutes acceptable and unacceptable risk.
Statements of risk appetite are often broad, and tend to speak of risk hypothetically or generally—e.g., “the enterprise will not accept the risk of noncompliance,” or “the organization will not accept fraud risk”—rather than express risk concretely in quantifiable terms.
Although such representations of risk appetite are common, they are very difficult to cascade down through the organization as management directives: Absolute prohibitions on risk are impossible to maintain and therefore impractical.
Under such a prohibition against risk, every control deficiency would be fixed, and every business endeavor with risk would be declined. In practice, this approach is not a productive or efficient use of resources. Instead, enterprises should attempt to determine a loss amount that is acceptable and manage to that amount. An example of a practical, concrete, quantified risk appetite statement might be: Although the enterprise desires to have no appetite for I&T risk, it recognizes that this is impractical in the achievement of its objectives. Therefore, the enterprise will remediate loss scenarios whereby aggregate losses of $1 million or more are at risk.
Large enterprises may find it useful to have a version of this statement for each line of business.
An enterprisewide appetite statement should reflect (or aggregate) all the line-of-business statements.
Every enterprise must define its own risk appetite levels and review them on a regular basis. This definition of risk appetite should align with the overall risk culture that the enterprise wants to express (i.e., ranging from very risk averse to risk taking/opportunity seeking). Although there is no universal right or wrong, risk appetite needs to be defined, well understood and communicated. Risk appetite and risk tolerance should be applied not only to risk assessments but also to all I&T-related decision making.
Risk Tolerance
Risk tolerance reflects a range of acceptable deviation from the level set by the risk appetite and business objectives—for example:
Standards require projects to be completed within estimated budgets and time frames, but overruns of 10 percent of budget or 20 percent of time are tolerated.
Risk Capacity
The term risk capacity is sometimes used in discussions of risk appetite. Risk capacity is usually defined as the objective magnitude or amount of loss that an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which generally reflects a board or management decision regarding how much risk is desirable
Reference : Risk IT Framework 2nd Edition ISACA (ISACA)