The terms “risk appetite” and its close cousin “risk tolerance” are often poorly understood, very rarely used to good effect, and commonly used interchangeably.
Similar to the word “risk,” you will sometimes get as many different definitions for these terms as people you ask.
Excerpted from Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund, Copyright © 2015 Elsevier Inc.
Potentially useful definitions we have seen include:
- Risk appetite: A target level of loss exposure that the organization views as acceptable, given business objectives and resources
- Risk tolerance: The degree of variance from the organization’s risk appetite that the organization is willing to tolerate
Understanding Risk Appetite vs. Risk Tolerance - Think of Speed Limits
Given these definitions, a simple analogy for appetite and tolerance would be speed on a highway. The department of transportation or other government entity sets a speed limit. This could be roughly thought of as analogous to risk appetite and reflects the decision-makers' beliefs regarding an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things).
The people using the highway will usually travel at speeds greater or lesser than the speed limit as opposed to exactly at the speed limit, and the point at which law enforcement actually begins ticketing violators could be viewed as analogous to risk tolerance.
Given normal weather and other conditions, it is extremely rare to see law enforcement enforce the speed exactly at the limit. Consequently, while risk appetite can be thought of as a line drawn in the sand that helps to set expectations, risk tolerance can be thought of as the variance from appetite that drives day-to-day decisions to operate differently in some manner. Note the operative word here - "decisions".
More Resources on Risk Appetite and Risk Tolerance
How to Create a Risk Appetite Statement
In the blog post Define Your Company’s Appetite for Risk with FAIR Analysis, RiskLens risk program consultant Rebecca Merritt laid out these general steps:
1. Start by pinpointing the relevant loss types (grouped as confidentiality, integrity, availability) for your organization.
2. Set thresholds in terms of frequency and magnitude of cyber loss incidents for each loss type. For example on availability your threshold should be in terms of how many minutes/hours/days is acceptable for an outage to occur. Codify in a risk appetite statement.
3. Assess your actual risk in quantitative terms with FAIR analysis, starting with your top risks, and compare to your risk appetite.
Trouble in Your Organization Setting a Risk Appetite Definition?
Organizations that have used qualitative risk assessments may find it difficult to move to quantifying risk appetite and tolerance. Here are some questions to ask stakeholders to start the process, from a RiskLens blog post on risk appetite.
- What does materiality look like from a financial reporting perspective?
- What is our current cyber insurance coverage?
- What are the largest security and availability events that have happened at our organization? What was the impact?
- What is the maximum duration of an outage for <insert critical system> that we are willing / able to withstand?
- What is the maximum number of confidential records we are willing to accept being breached?
Take a Deeper Dive into Risk Appetite in this Video from Jack Jones
Defining a Cyber Risk Appetite that Works, presentation at the 2019 RSA Conference