Skip to main content

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1  Risk Capacity, Appetite and Tolerance



First step of any risk management learning is to understand following three important terms:


  • Risk Capacity

  • Risk Tolerance 

  • Risk Appetite 


Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:

 

Parameter

Descriptions

Risk Capacity

Maximum risk an organization can afford to take.

Risk Tolerance

  • Risk tolerance levels are acceptable deviations from risk appetite.

  • They are always lower than risk capacity.

Risk Appetite

Amount of risk an organization is willing to take.

 

Let us understand this with an practical example:


Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50. 


Risk Capacity: Total amount available i.e. $1000

RIsk Appetite: His willingness to take risk i.e. $700

Risk Tolerance: Acceptance deviation from risk appetite i.e. $750

 

Relationship between Risk Capacity, Risk Tolerance and Risk Appetite:

 



  • Risk Capacity is always greater as compared to tolerance and appetite.


  • Tolerance can be either equal to or greater than appetite. Risk tolerance levels are acceptable deviations from risk appetite.


  • Risk acceptance generally should be within the risk appetite of the organization. In no case, it should exceed risk capacity.

 

Periodic review of Risk Appetite & Tolerance


Risk appetite and tolerance need to be reviewed at regular intervals. Factors such as new technology, organizational restructuring, or changes in business strategy may require the organization to reassess its risk portfolio and reconfirm its risk appetite. Risk appetite and tolerance are the deciding factor for prioritization of risk response. Risks with low appetite need to be addressed immediately.

 

It is important that Risk appetite and tolerance should be defined and approved by senior management.

 

Alignment of Risk Appetite with Business Objective


Risk appetite should be aligned with business objectives to ensure that resources are directed towards areas of low risk tolerance. For critical business processes, risk appetite should be thoroughly monitored and controlled. This will help a risk practitioner to build more controls for the areas or processes where risk appetite and risk tolerance is low. 


Let us understand this with an example. An organization has three business objectives. One of them is most critical with 80% of business derived from that area. Other two objectives are not as critical. Organizations would like to spend more resources on this critical business objective to keep the residual risk within limit. 


Compliance with Risk Appetite 

Risk practitioners can determine the compliance with risk appetite by evaluating the residual risk i.e. residual risk should be within the risk appetite (i.e. acceptable risk). For example, an organization does not want to expose more than $50 for a given project i.e. their risk appetite or acceptable risk is $50. Organization will have to keep their residual risk within $50 to comply with risk appetite. 

 

Factors affecting Risk Appetite 

Risk appetite differs from organization to organization. Risk prone organizations may have high levels of risk appetite whereas risk averse organizations may have low levels of risk appetite. Organization adopts their risk appetite on the basis of their culture and predisposition towards risk taking.


Responsibility of monitoring the Risk 

Risks should be monitored on a continuous basis and results of the monitoring should be communicated to respective risk owners. Risk owners are responsible to ensure that risk is within the tolerance level.

 

Benefits of defining risk capacity and appetite


  • It provides evidence of the risk-based decision-making processes.

  • It helps to understand how each component of the enterprise contributes to the overall risk profile.

  • It helps in prioritization and approval of risk response.

  • It helps in identifying specific areas where a risk response is warranted.

 

Key aspects from CRISC exam perspective

 

CRISC Question

Possible Answer

Risk appetite should be aligned with business objective to

Ensure that resources are directed towards area of low risk tolerance

Compliance with risk appetite can be determined by ensuring

Residual risk is within acceptable risk

Organization adopts their risk appetite on the basis of

Culture and predisposition toward risk taking

 

Management generally allows some deviation from defined risk appetite. This is known as

Risk tolerance

What are the deciding factors  for the mitigation of risk?

Risk Tolerance and Risk Appetite

Results of continuous monitoring should be best communicated to

Risk owner

 

Video Tutorial - 1.1 Risk Capacity, Appetite and Tolerance


Flash Cards -CRISC 1.1  Risk Capacity, Appetite and Tolerance


Practice Questions - Risk Capacity, Risk Appetite and Risk Tolerance



Popular posts from this blog

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us