Risk Appetite: How Much Can You Take?


There are many factors involved in what ends up being an organization's retention and records plan. Chief among those is risk management. One of the most critical trends in enterprise risk management is risk appetite. Risk appetite is the amount of risk an organization is willing to take to pursue its goals and objectives. Many factors should be considered when deciding an organization's risk appetite, such as:

  • Organizational culture

  • Industry

  • Regulatory mandates

  • Competitors

  • Overall goals and initiatives

  • Market rank and financials

Risk appetite differs from risk tolerance. Dave Shackleford from Voodoo Security uses this clever simile to explain, "If risk appetite represents a speed limit of 70 MPH. Risk tolerance is how much faster you can drive without getting pulled over and issued a ticket."


Risk tolerance is subject to the same wide variety of factors that determine risk appetite. But the amount of risk tolerance an organization accepts can be more agile, depending on factors that include the structure of a project, its timeframe, and the experience of those involved. It is also possible for risk tolerance to change over time as industry standards, regulations, and best practices change.

The main problem that organizations have with both risk tolerance and risk appetite is that they see them as a "one and done" activity to satisfy the legal management of auditors and regulators. Instead, they should be used as tools or frameworks for helping the company make risk-centric decisions and achieve its objectives. Years back, Jereb Cheatham from Laserfiche developed the concept of "invisible records management" in response to organizations' need to put records management protocols into place yet not interfere with the day-to-day work of staff members. Much like records management, institutions can use risk as a lens through which to view plans, goals, and objectives.


Once organizations determine what level of risk they are up for, the next step is to determine how likely the risk event will happen and its impact. It would be best if you also considered the parameters such as:

  • Adequate and typical constraints- What is the organization willing to do within the "adequate" risk appetite level? What are the restrictions?

  • Overall risk exposure. Based on the desired set of actions and outcomes, does the risk exposure increase, decrease, or stay the same? The level of risk exposure influences the risk appetite for any specific project or approach and, most often, the strategic direction an organization takes. This is one of the more critical metrics.

  • Analysis of long-term goals and objectives- Organizations, should ultimately line up risk appetite and tolerance considerations with the longer-term objectives of the organization and where it should be headed to accomplish and balance its strategic goals.


7 views