Intolerable appetites

[Gary Hinson]

What do 'risk tolerance' and 'risk appetite' mean to you?

'Risk appetite' seems fairly clear to me: it concerns, expresses or defines management's 'hunger' (willingness or desire) to take a specified quantity of risk, for legitimate business reasons (such as the pursuit of market share, profit etc.).  For the hyperglossary, I found and quoted 5 'offiicial' definitions along those lines, some noting that senior management's determination may involve the type as well as quantity of risk.  So far, so good.

'Risk tolerance', though, is less straighforward:  

• Some writers are alluding to the mathematical concept of tolerance limits (upper and lower bounds) or allowable variations.  So, for example, the allowable proportion of false acceptance or false rejection results from an authentication check might be specified as part of the control design.  Maybe.
  
  
• A few contrast 'tolerance' with 'appetite': the former suggests a reluctance to go beyond some level of risk, while the latter suggests a reluctance to fall below some level of risk - in other words, these are the upper and lower bounds of acceptability, much like the mathematical concept.
  
  
• Many (most?) are ambiguous about the meaning, seemingly referring to 'risk appetite' as noted above.  Either they are synonyms or I am just not picking up on some subtle distinction.

I found 5 'official' definitions for risk tolerance too, including two similar but different definitions in the ISACA glossary at https://www.isaca.org/resources/glossary:

and

So, I decided to go with the mathematical-style range definition for 'risk tolerance', also mentioning the confusion or conflation with 'risk appetite'.  Do you agree?  

Kind regards/Ngā mihi,

Gary

________________________________________

Gary Hinson CEO of IsecT Ltd

Information risk and security consulting

ISO27k  Audit  ISMS templates and policies
Pragmatic Security Metrics (with Krag Brotby)
Cybersecurity Hyperglossary (forthcoming!)

________________________________________

[Krag Brotby]

Risk tolerance in my camp is the allowable deviation from acceptable risk

--
You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF54hWWsZ-PhYmmx2EVfAdyn%2BuAvK_cNGxoudvTHKrfycQ%40mail.gmail.com.

[Gary Hinson]

So that's relative to 'acceptable' risk ... which is presumably the same as the 'appetite'?   Or have I got the wrong end of the stick, again.

Does your risk tolerance involve lower and upper bounds of risk, or just upper?

Kind regards/Ngā mihi,

Gary

________________________________________

Gary Hinson CEO of IsecT Ltd

Information risk and security consulting

ISO27k  Audit  ISMS templates and policies
Pragmatic Security Metrics (with Krag Brotby)
Cybersecurity Hyperglossary (forthcoming!)

________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAJBCom3OpXU2%3D1oPqKUs4uqBB%3DFVRuMhtY9T2-HCnz60WH36VQ%40mail.gmail.com.

[joel....@micron21.com]

My definition for the “appetite for risk” has always been less mathematical, and more emotional.

• My CFO’s appetite for risk she understands is low. She does _not_ want to eat, but will begrudgingly.
  • We classify her as having a low appetite for these risks
• Her appetite for risk she does _not_ understand is _zero_. She will not eat the mystery meats.
  • We classify her as having a no appetite for these risks

 

We cannot put these into numbers, because the company might have a risk using a 3x3 matrix, - Likelihood 1, Impact 1, Risk level of two in our SRMP is “Acceptable, treatment recommended”.

 

This same persons’ tolerance for risk is also an emotional value, and not one so easily put to numbers – as it is tied to their appetite for risk.

• My CFO already has a low appetite for risk, but will accept risks within their appetite;
• Their tolerance is limited, and as more risks (even acceptable risks) present themselves, their appetite for risk goes down.

 

As a company, we mathematically accept this risk, even without treatment. Our CFO does not “like” this; accepting risk without treatment is being made to eat her steamed vegetables without salt and pepper. Keeping with this analogy, the CFO fills up quickly because of a low tolerance for risk, and graduates to a near-zero appetite.

 

An idea of the inverse – one of my Tech guys has a moderate appetite for risk, that they feel closely align with our SRMP. They also have a fairly high tolerance for risk, and thus:

• They have a high appetite for risk, willingly accept all risks that the SRMP defines as acceptable. “Treatment recommended” doesn’t faze them. Only unacceptable risks will consume their appetite
• They have a high tolerance for risk; a handful of unacceptable risks that require some kind of treatment are fine for them to keep track of, but only once this list grows will their tolerance begin to affect their appetite.

 

Once again with the analogy, even though we continue to mathematically accept this risk, even without treatment. My tech  guy is fine accepting risk without treatment – all youi can eat buffet, quality means very little to this hungry guy. However, enough bad bain-marie food and the tech guy becomes more cautious – only eating from the dishes he knows agree with him.

 

To summarise:

• The risk acceptance - it’s level of “Acceptable or Not” is definitive, mathematical, process driven, and clear-cut
• The risk appetite is personal to the owner/board/reporter/stakeholder, who all have different appetites for risk. This is less clear cut, very emotional, even for acceptable risk.
• The risk tolerance is the stakeholders’ bandwidth to maintain their risk appetite, and is again, emotional and difficult to measure.

 So in my case, there is only positive integer descriptions for risk tolerance ("None", "Some", "Heaps")

This of course is just my 2 cents. Keen to hear other folks’ food-laden analogies!

Kind Regards,

Joel McLean

[joel....@micron21.com]

...Did my reply not save, or am I just in some pending limbo?

[Cybersecurity hyperglossary]

Nice analogy, Joel.

Given that risk appetite (or tolerance or whatever tag it has) is a personal thing, and that we all differ, it's a fair bet that the mean level across a mid to large organisaiton's people would be somewhere around the middle of a notional risk scale.  Some thrill-seekers would be happy with rather more, some timid types rather less.  Most would be middling, I think.

Also, if you surveyed the same people some time later (after they'd forgotten their original answers), there's a fair chance some will have changed their opinions based on various factors (such as recent news headlines) and experiences (e.g. lottery wins or personal crises).  So I suspect the risk levels would tend even closer to the mean.   

For information risk management purposes, the main factor I guess is management's risk appetite, representing the organisation as a whole, with a forward perspective (the risk level they aspire the organisation to reach or sustain).  I'm not aware of anyone actually doing risk appetite surveys of management, though it's possible.  In my experience, risk appetites mostly come into effect when project proposals, initiatives, budgets and strategies are being drafted, debated and eventually agreed - or modified - or rejected.  Financial risks are treated more mathematically/rigorously with modelling and may have explicit targets or tolerance ranges (e.g. "Every investment is expected to beat the current cost of capital over the projected payback period, as adjusted for inflation [or something]), but still project proposals have to run the gauntlet of one or more management meetings where various assumptions and projections are challenged.  The actual decisions tend to be largely gut-based, even when the financial case is quite clear, and management typically seeks to maintain a balanced portfolio mixing some low, some mid and a few high risk projects - the proportions depending on the current economic and business situation and projections.

Seems to me risk appetite is a vague notion or concept without much practical value.

Regards,

Gary

[joel....@micron21.com]

"risk appetite | This is a vague notion or concept without much practical value."
Probably a bit naff for your book, but damn, that's a fine definition!

[Gary Hinson]

It'd need a bit of wordsmithing but I guess yes it has potential!

Meanwhile, here's the current entry:

and here's my attempt to define risk tolerance:

Kind regards/Ngā mihi,

Gary

________________________________________

Gary Hinson CEO of IsecT Ltd

Information risk and security consulting

ISO27k  Audit  ISMS templates and policies
Pragmatic Security Metrics (with Krag Brotby)
Cybersecurity Hyperglossary (forthcoming!)

________________________________________

On Mon, 30 Jun 2025 at 16:22, joel....@micron21.com <joel....@micron21.com> wrote:

"risk appetite | This is a vague notion or concept without much practical value."
Probably a bit naff for your book, but damn, that's a fine definition!

--

You received this message because you are subscribed to the Google Groups "Cybersecurity hyperglossary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hyperglossar...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/19f2e89d-3141-4207-8bfd-77169c84ff0en%40googlegroups.com.

[Krag Brotby]

Tolerance applies  both up or down since at best "measurements" of risk are at best approximations, a precise number

is silly and so a range is far more appropriate.

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF609YnHKriwJ3EAYr%3DBgd_kCQR1VgNV5%2B%2BAXd88F9qsKg%40mail.gmail.com.

[Gary Hinson]

Just when I thought we were spiralling-in on consensus, I bumped into these papers on this very topic from the Institute of Risk Management:

Risk appetite and tolerance: guidance for practitioners

Risk appetite can be defined as 'the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives'. Organisations will have different risk appetites depending on their sector, culture and objectives. A range of appetites exist for different risks and these may change over time.

Risk appetite and tolerance need to be high on any board's agenda and is a core consideration of an entreprise risk management approach. Our guidance provides practical direction, advice and information to support boardroom debate. 

While risk appetite will always mean different things to different people, a properly communicated, appropriate risk appetite statement can actively help organisations achieve goals and support sustainability.

The IRM guidance for practitioners and summary for boards, both free downloads, are substantial documents (42 and 24 pages) that will take me a while to digest and consider whether to update the hyperglossary definitions.  Seems I need to dive back into the rabbit warren! 

Kind regards/Ngā mihi,

Gary

________________________________________

Gary Hinson CEO of IsecT Ltd

Information risk and security consulting

ISO27k  Audit  ISMS templates and policies

Pragmatic Security Metrics (with Krag Brotby)
Cybersecurity Hyperglossary (forthcoming!)

________________________________________

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAJBCom222H8j_V8radT2sQmPC9eeB-%2Bc3e0oMOZzpOGAzUWrVg%40mail.gmail.com.

[Krag Brotby]

If "tolerate" is used as in how much you can stand there is clearly no need for the term - we already have "acceptable risk" in CISM and CISA amongst others as well as "risk appetite".

Tolerance(s) in the more or less meaning makes sense since risk metrics is always going going to be at best a probability except in rare instances like dice roll where probability is limited to a precise number of possibilities, 

risk appetite or acceptability in life and infosec as an exact probability is nonsense -

e.g. my risk appetite is limirws to 13.2% probability of disaster-- My tolerance for risk is 7.8% is stupid.. 80 t0 90% odds of success is rational.  

To view this discussion visit https://groups.google.com/d/msgid/hyperglossary/CAPRmHF46C2UxXk8BWQyYW4EL%2BpPmOGqeNYGWWZpEpSqOATbzyQ%40mail.gmail.com.