The terms “risk appetite” and its close cousin “risk tolerance” are often poorly understood, very rarely used to good effect, and commonly used interchangeably.
Similar to the word “risk,” you will sometimes get as many different definitions for these terms as people you ask.
Excerpted from Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund, Copyright © 2015 Elsevier Inc.
Potentially useful definitions we have seen include:
- Risk appetite: A target level of loss exposure that the organization views as acceptable, given business objectives and resources
- Risk tolerance: The degree of variance from the organization’s risk appetite that the organization is willing to tolerate
Given these definitions, a simple analogy for appetite and tolerance would be speed on a highway. The department of transportation or other government entity sets a speed limit. This could be roughly thought of as analogous to risk appetite and reflects the decision-makers' beliefs regarding an appropriate balance between traffic flow, highway and environmental wear-and-tear, and public safety (among other things).
The people using the highway will usually travel at speeds greater or lesser than the speed limit as opposed to exactly at the speed limit, and the point at which law enforcement actually begins ticketing violators could be viewed as analogous to risk tolerance.
Given normal weather and other conditions, it is extremely rare to see law enforcement enforce the speed exactly at the limit. Consequently, while risk appetite can be thought of as a line drawn in the sand that helps to set expectations, risk tolerance can be thought of as the variance from appetite that drives day-to-day decisions to operate differently in some manner. Note the operative word here - "decisions".