How to Use Risk Appetite and Risk Tolerance to Guide Decisions

The goal of risk management, especially enterprise risk management (ERM), is to provide management (and the entire company) with valuable insights for risk-informed decision-making.  But day in and day out, decisions are being made that don’t reflect what is voiced in the risk appetite statement approved by executives.

Growth is being stifled, and the company is barely remaining viable.

OR, on the flipside, extremely risky decisions are being made in desperate chances to increase income, gain customers, or be considered edgy.


You thought the risk assessment results would be enough to trigger action and decision-making, but nothing happens. Why is management not using the risk information to make decisions?

Management says the risk information is “informative” or “very helpful” but sets aside (both physically and mentally) the risk report to then talk about how to allocate resources for projects in the next quarter. The end result is a decision without research, information, and scenarios to support it.

Who knows what the outcome will be.

Will the company crumble to the ground?  Is the reputation about to be pummeled into dust by consumers on social media?

You think that the way to fix this problem is to become more quantitative. Let’s think about this for a minute. Quantitative risk assessments mean making a significant investment in modeling for in-depth, statistical modeling and scenario analysis.

Is this the right step? Well, surely it is…management always asks for metrics and key performance indicators, so maybe they need hard numbers on the risk side as well. Right? No.

There is another way to provide management with the information they need for meaningful, risk-informed decision-making.

It is okay to take risks. We do it every day, at work and in our personal lives. But it becomes a matter of how much risk we are comfortable accepting, what risks are too big and need to be reduced, and which risks should be avoided at all costs. Essentially, we each have an informal personal risk appetite statement.

What about your company? Do you have a risk appetite statement? If so, what does it look like?

Is it high-level and oh, so ambiguous? Or maybe it’s so detailed it can’t be used in real life.

Reality is that a risk appetite statement should help a company verbalize – at a very high level – how much risk in what areas they are willing to take. One of my earlier posts defines risk appetite and gives some examples.

(For a more in-depth review, check out this article on the basics of risk appetite.)

But there is a deeper level of information – risk tolerance. That same earlier post has this definition of risk tolerance: “risk tolerance establishes minimum and maximum boundaries around the risk appetite that the board is willing to accept.” Absolutely true. These boundaries are what transform high-level information in the risk appetite statement into something actionable.

risk appetite

Risk tolerance can be applied to whatever context you are working – strategic goals and objectives, a project, process changes, whatever. They are flexible and adaptable…and it is crucial for risk management processes to be adaptable, as I discuss in this post.

It can be phrased in terms of money, customers, reputation, or even multiple ways.

So let’s talk about how to actually do it.

Using Risk Assessment Results with Risk Tolerance

It is easiest to describe how to compare risk assessment results to risk tolerance with an example:

Your company is about to rollout a new product. Due to the regulatory oversight, management and the board have agreed on zero tolerance for any regulatory fines or investigations. However, they are willing to accept a cost variance of up to $500,000 to ensure a successful launch. (Make sure that risk tolerance is defined prior to a risk workshop, so the results do not influence management…)

Now that you know this information, let’s apply it further.

During a risk workshop on this new product, a risk was identified and assessed. The risk has the potential impact of $1 million dollars if it occurs. Compare this assessment to the risk tolerance – what is the outcome? This risk is not acceptable as it stands.

Now management needs to do one or more of the following:

  • Change the situation so that the risk doesn’t exist in its current form, hopefully reducing the potential impact to an acceptable level.
  • Take action (create an action plan and dedicate appropriate resources) to mitigate the risk down to the acceptable level.
  • Stop the product launch in its entirety. (Of course, there are other considerations to this decision, but it is a possible decision.)

You have now just made risk appetite and risk tolerance actionable. You have taken risk assessment results, compared them to the risk tolerance, and given management the information they need to make a risk-informed decision. Wow!

What challenges have you faced in your organization related to risk appetite?   How did you overcome them?

I would love to hear your thoughts.  Please share in the comment field below, or join the conversation on LinkedIn.

Do you want someone to guide you through the process of making your risk appetite statement actionable?  Are you struggling to get your risk management initiative off the ground or back on track? If so, contact me so we can discuss your options.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More