Risk Profile, Risk Apetite, Risk Acceptance, Risk Tolerance and Risk Capacity.

Let´s try to clear the fog out.

Risk Profile is simply an overview of the Risk Lanscape in the context of an organization. What and where we are afraid of?

Risk Apetite is simply the number of risk we want to take. Having how many risks is ok? Risk apetite might be sometimes stated by policies and standards established by Senior Management.

Risk Acceptance is the decision to accept a risk as it is, without taking steps to reduce or mitigate it. It means deciding to live with a certain level of risk because dealing with it further isn’t worth the effort or cost.

Risk Acceptance should not exceed Risk Apetite and can´t exceed Risk Tolerance.

Risk Tolerance tells us how much risk you can handle without too much stress. How much is an organization willing to bear? Sometime also established by policies and standards provided by Senior Management.

Whereas Risk Capacity is an indicator can you handle the risk based on operational and financial stability. Basically how much we can take before our business dies.

Having clearly defined Risk Apetite & Capacity is not that common. Even though there is plenty of benefits. Take a look:

  • providing evidence for risk-based decision-making processes,
  • understanding how components contribute to overall risk profile,
  • understanding how resource allocation can add or lessen the burden of risk,
  • prioritizing response actions through risk budgets,
  • identifying areas where risk response should be made.

It requires significant effort though. That might be the problem.

Hence remember to have all 5 elements in place:

  1. Risk Profile,
  2. Risk Apetite,
  3. Risk Acceptance,
  4. Risk Tolerance,
  5. Risk Capacity.

M.