Using risk appetite & tolerance to make better business decisions

Your company may not realise it, but risk appetite and risk tolerance both play vital roles in decision making.

Picture this: it’s 2010. You’re an executive at a major bank. People are starting to talk about mobile cheque deposits – that is, letting customers deposit cheques by taking a picture of them with their smartphones. Sales and marketing are insisting you add this functionality to the new mobile app, but you quickly come up with a number of reasons why this is a bad idea. There’s no way you should offer such a product. It’s entirely too risky!

Of course, a few years later, your mobile cheque deposit app is up and running – and is a standard feature on most of your competitors’ apps as well.

What changed? The risk of offering versus not offering this feature.

Let’s break down this scenario a little more, as well as how and why calculating risk appetite and tolerance is important for every company. Companies must know their risk appetite and tolerance for smaller-scale business decisions (like when to adopt new product functionalities), so they can translate the practice in responding to high-impact external threats (such as the COVID-19 pandemic).

Risk appetite vs. Risk tolerance

First, some quick definitions: ‘risk appetite’ typically refers to how much risk a company is willing to take on. ‘Risk tolerance’, on the other hand, refers to how much a company is willing to deviate from its defined appetite.

A young, growing startup on the cutting edge of its industry is likely to have a high risk appetite as well as a higher risk tolerance than a more established company in the same industry. This is largely because the growing company has more to gain by taking risks than it does to lose.

On the other end of the spectrum would be an established company in a heavily regulated industry – like banking.

The new superhero: How CIOs and CTOs drive banks’ move to digital

How CIOs and CTOs can succeed in today’s evolving financial landscape and support and meet the demands of both the organisation and customers. Read here

Why calculate your company’s risk appetite & tolerance?

As I’ll explain in a minute, calculating your risk appetite is labour intensive. But it’s well worth doing because it offers you a clear-cut guide to where and how you should be investing money within the company.

Let’s return to the example of the bank. In 2010, introducing a mobile cheque deposit feature was far too risky. Only about a third of Americans even had smartphones in 2010, which meant the upside potential of attracting new customers by offering mobile-only features was paltry compared with the potential risks the feature would introduce.

By 2012, though, the reality had shifted: more than half the country had smartphones. Banks were expanding their mobile features. Banking customers were expecting mobile deposit, which meant any bank that didn’t offer this feature could expect to lose existing customers and miss out on new ones – especially among the younger, digital-native population.

Today, most major banks offer mobile cheque deposit in their apps, as well as many other handy features that would have been unthinkably risky less than a decade ago. But thanks to risk assessments that help determine risk appetite, banks were able to see that their bottom line would be better served by introducing these “risky” new features than by taking the “safer” position of not adding them.

How to calculate your risk appetite & tolerance

The mobile deposit anecdote highlights an important feature of risk appetite: there are many different kinds of risk. A typical risk assessment will look at market risk, financial risk, reputational risk, cyber risk, and more.

In 2010, the cyber risk presented by mobile cheque deposit outweighed any potential gains in market share or finances. But within just a few years, the reputational, financial, and market risk of not having the feature outweighed any potential cyber threats.

So how can a company get to a place where it can confidently make decisions about which opportunities to invest in and which ones to skip? First, you have to perform a risk assessment. There are two types of assessments you can perform:

Qualitative Risk Assessment: This involves scoring risk as being either high, medium, or low.
Quantitative Risk Assessment: This involves scoring risk on a numeric scale – for example, from one to 10.

The latter is a superior system because it allows for numeric calculation and greater granularity. But whichever assessment method you choose, be sure to have buy-in from multiple departments. If you don’t, you could end up making decisions based on incorrect data.

Managing security risks in RPA

RPA is making businesses more efficient, but it also brings security risks. How can these be managed? Read here

After assessing risk in as many areas of the organisation as possible, management will need to define a risk appetite – say, 5.6 on a 10-point scale, or “medium” on a scale of low to high. Risk assessments are largely subjective, but when done by committee each individual in the process is forced to justify their position, which helps bring rigor to the process.

Once you’ve defined your risk appetite, maintaining a hard line is difficult, especially in growing organisations. What’s even harder, though, is defining how much an organisation is willing to deviate from its defined appetite – i.e., defining its risk tolerance.

Why bother defining appetite if there’s a chance you’ll deviate from it? Because there has to be some wiggle room. This is what lets an organisation take advantage of new opportunities – and what guides it on which opportunities to seize and which to pass up.

This is why risk tolerance was born.

Once you’ve defined your risk appetite and tolerance by assessing the risk of your current operations, products, and systems, you’re positioned to make calculated investments in technology and controls to strategically remain within your defined risk appetite.

Will data regulation lead to increased security risks?

As the volume of data regulation increases, organisations’ attitude to security must evolve to ensure that they achieve compliance. Read here

The hypothetical bank from earlier, for example, might have calculated mobile cheque deposit as a risk factor of eight, when they wanted to remain at a 5.6. But as they saw customer demand for the feature grow, they might have found ways to reduce its risk – limiting the amount that could be deposited via mobile, for example, or requiring multi-factor authentication, or limiting the feature to a certain group of customers. Introducing a risk tolerance figure of, say 1.2, would only require the bank to bring its risk down to 6.8 – allowing the bank to proceed with the offering.

Know your risk appetite & tolerance to make better business decisions

Most of the decisions we make as individuals involve weighing risk against potential reward. Cross the street without a walk signal? Eat the expired lunch meat? Drive above the speed limit?

Businesses are different only in that they’re more complex: they have more risk exposure, more stakeholders, and typically a larger impact if things go wrong. That’s important to remember when it comes time to evaluate risk: just as individuals may rely on financial advisors, doctors, or religious leaders to explain what they should and shouldn’t do to achieve certain outcomes, businesses often need third-party insight on their risk exposure. Leverage a third-party skilled in business risk to review what you have set up. Having another set of eyes on your program will only improve it.

There are many ways to leverage the information produced by a risk assessment. Assessing risk and identifying an organisation’s appetite and tolerance is a continually evolving process. Make sure you try different approaches to identify what is right for your organisation – doing so will allow you to make the best decisions with the results of the risk assessment.

Written by Thomas Johnson, CISO at ServerCentral Turing Group


Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at