Queensland Audit Office

Risk appetite and risk tolerance continue to be important conversations in how the public sector applies risk management practices. A good risk management framework defines and uses risk appetite and risk tolerance to help an entity achieve its strategic and operational objectives while keeping risk exposures in check.

What’s the difference between an appetite and tolerance?

Risk appetite is the amount of risk that an entity is prepared to accept or be exposed to at any point in time. It is the level of risk where further risk mitigation is not required. There is no one size fits all risk appetite statement. It is commonly expressed as a threshold of high or low, or somewhere in between. And an entity may have different risk appetites for different key risks—a few examples are strategic, financial, reputational, workplace health and safety, and operational risks.

Risk tolerance is how much an entity is prepared to suffer or lose what it already has, after dealing with risk (for example, treatment, acceptance, or avoidance) in order to achieve its objectives. An entity expresses risk tolerances to support its risk appetite statements and to guide management in applying tolerances to the daily operations of the entity.

Clear risk appetite and risk tolerance statements allow management to focus on achieving the entity’s objectives. By articulating these, an entity makes explicit its attitude to risk. This in turn enables the entity to evaluate individual risks and determine which to escalate and treat.

The below table gives two examples of risk appetites and risk tolerances.

Risk appetite

Risk tolerance

The entity has a moderate tolerance for customer service innovation.

The entity will not accept customer satisfaction ratings below X amount.

The entity has no appetite for workplace health and safety risks that could lead to injury or loss of life.

The entity will accept no more than X workplace health and safety instances that don’t require emergency department care per year.

Risk appetite as a driver for improvement

Our experience over recent years is that many entities still struggle to define and articulate their risk appetite and risk tolerances.

Articulating risk appetite helps manage risk aversion. Rather than avoiding negative consequences of risks, you establish clear parameters that enable well-managed risk taking. This can encourage business opportunities and innovation, and maximise value for money in service delivery.

We don’t often observe entities considering opportunities within risk assessments—only reactively addressing risks.

Do you manage individual risks within your risk appetites and tolerances?

We have found that entities who have defined their risk appetite and quantified what they will tolerate have not always integrated these statements into their risk management processes. Some of the risks in their risk registers still sit outside of defined tolerance levels with a lack of risk treatments to bring the risk back within their tolerance. Another example is where a risk is sitting within an entity’s tolerance levels, yet the entity identifies and implements additional controls. This could indicate an inefficient use of resources or that the current stated level of tolerance is too low or, worse still, not universally believed.

Linking your risk appetite and tolerances to forward risk management

Entities need to proactively pre-empt risks and impacts on their operational environments. They often only manage risks currently recorded in their risk registers, rather than considering the next new risks they may face or have not previously identified.

At least annually, you should consider the broader environment and operations of your entity, and what risks your entity is exposed to, regardless of the existing controls in place. You should consider and assess both internal and external risk factors.

Want to assess your current risk management practices?

QAO’s Risk management maturity model outlines five levels of maturity across key attributes of risk management. Your entity can use it to self-assess your risk management maturity.

Related article