Print Page   |   Contact Us   |   Sign In   |   Apply online
Community Search

2016/10/24 » 2016/10/25
Risk Management for Risk Champions Training - 24 & 25 October 2016

Managing Risk Management Training - 2 November 2016

2016/11/03 » 2016/11/04
Project Risk Assessment Training - 3 & 4 November 2016

Risk Reporting Training - 7 November 2016

IRMSA Insight
Blog Home All Blogs
Search all posts for:   


View all (38) posts »

Risk appetite and tolerance explained

Posted By IRMSAInsight, 30 October 2014

Having a defined Risk Appetite Statement is a crucial starting point to the Risk Management process. Risk Appetite and Risk Tolerance are terms that are often incorrectly interchanged without a solid understanding of the definition of each of these related yet different concepts.




It is often said that no company or organisation, regardless of its sector, can make a profit without taking a risk. The only question is how much risk do they need to take? Taking risks without consciously managing those risks can lead to the failure of an organisation and therefore a well researched, strategically aligned and regularly revised statement from the board is required in order to successfully implement and support the Risk Management function.

The COSO ERM Framework defines risk appetite as “the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value”. Therefore, Risk Appetite deals with the pursuit of risk (upside risk) – “the amount and type of risk that an organisation is willing to pursue or retain” (ISO Guide 73).

An organisation’s Risk Appetite is communicated via a Risk Appetite statement which has no fixed / defined format. The statement should include a range of quantifiable values defining the acceptable levels of risk that the board is willing to accept in pursuing the risks required to take in order to meet its objectives.



Whilst Risk Appetite deals with the level of risk that the organisation will pursue to meet their organisational objectives, Risk Tolerance defines the upper and lower levels that an organisation is able to deal with / absorb, without significantly impacting the achievement of the strategic objectives.

Risk Tolerance can be expressed at a more granular / absolute level, for example “we will not expose more than x% of our capital to losses in a certain line of business” or “we will not deal with certain types of customer“.

Tolerance levels can also be graphically represented alongside the appetite levels on what is referred to as a risk matrix or heat map. The example below shows the appetite line, above and to the right of which performance is deemed to be sub-optimal and action should be taken.




 Risk Appetite statements are often rather broad at the organisational level and become more refined and precise as they are implemented into departments and operations across the organisation. Tolerance levels and appetite values are likely to differ from business unit to business unit, depending on the overall weighting of that business unit to the organisation. How these statements and values are defined, communicated and monitored is a management decision. It is important for the Risk Managers in each business unit to ensure that the criteria in which they are operating is up-to-date with the strategic plan communicated by the board and is updated regularly.



Author: Madeleine Black, Product Manager, BarnOwl

Click here for more information on Barnowl





This post has not been tagged.

Share |
Permalink | Comments (0)
Sign In

Forgot your password?

Click here to join IRMSA