Terminology: Risk Tolerance, Risk Capacity, and Other Related Terms
For a straightforward (if a bit reductive) definition and comparison of the terms “risk tolerance” and “risk capacity,” the two can be distinguished by their qualitative and quantitative nature, respectively.
Risk capacity is how much risk can be accepted (and loss potentially absorbed) without fully undermining the organization. Risk tolerance is a matter of disposition—how comfortable decision-makers feel with the risk factors of a given venture. In other words, risk tolerance is a measure of confidence and expectation, while risk capacity is a measure of financial resilience.
But there’s more to both of these definitions, and other terms merit mentioning in the discussion. Below is a closer look at each of them.
Risk tolerance is the industry term used to refer to the level of confidence or trepidation stakeholders experience regarding a given investment, venture, or other business process. Higher risk tolerance can lead to accepting more uncertainty, greater potential losses, or lower possibilities of success. Low risk tolerance motivates the opposite, driving more cautious decisions.
The two most important details about risk tolerance are these. First, risk tolerance can be, but isn’t always, based on an accurate analysis of relevant data. It can be a “hunch,” a predisposition, a lack of understanding, etc.
Second, risk tolerance is not inherently good or bad. High risk tolerance can result in positive, negative, or both outcomes. The same is true for lower risk tolerance. The true danger lies in using risk tolerance exclusively to drive decision-making.
By stark contrast, risk capacity is a quantitative assessment of an organization's ability to absorb losses and, by extension, accept the potential risk of a loss occurring. Risk capacity primarily has two factors: resilience and opportunity cost. The former, as mentioned, points to an ability to bounce back from loss if it becomes unavoidable.
As for the latter, the discussion of “Can we afford not to invest in this?” starts to dip into the domain of the next term. But the most effective calculations of risk capacity consider both the sunk cost and the cost of missed opportunities.
Next, we have the first of our related terms. Risk appetite is similar to risk tolerance but with a more holistic view of the stakes, objectives, and possibilities at play. Risk tolerance describes confidence levels in a single investment, and risk appetite describes the willingness to accept risks across the entire portfolio in pursuit of the current objectives.
When describing tolerance, capacity, and appetite, perhaps the simplest way to illustrate the differences and importance of each is with a gambling analogy:
Risk tolerance refers to a player's inclination to bet or fold on a hand if the “investment” in question can be imagined as a card table at a casino. Risk appetite refers to a player’s willingness to expose themselves to risk throughout the game to claim their share of the potential winnings.
As for risk capacity, this might be analogous to both the amount of “buy-in” a player brings to the table to bet with and the impact that a total loss would have on their finances as a whole.
Finally, risk attitude is a matter of approach. Where the previous terms are measurements, either in concrete data or in rough estimations, risk attitude is how an organization takes those values and applies them to their business decisions.
A business’s risk attitude may be bold or careful, calculated or casual, organized or overlooked. While it doesn’t necessarily describe the specific strategies and tactics, risk attitude can describe intention, guiding principles, and thresholds for success and failure.
Why We Distinguish Between These Terms
As much as we seek to quantify and apply logic to risk management, there is no way to fully remove the human, emotional element from business decisions. Even with advanced machine learning providing widespread access to predictive and prescriptive analytics, “AI” is as far from fully replacing management staff as it is from fully replacing creatives and developers.
In business, we depend on human professionals' experience, intuition, and wisdom. For better or worse, that means we’re also subject to the shortcomings those same humans also bring to the table.
This means that, even with the most robust risk management strategy in place, teams must account for the gap between perceived risk and actual risk, between perceived capacity and actual capacity.
Sometimes tolerance exceeds capacity, which can lead to unnecessary losses. Recent years have seen fallout from widespread, overconfident growth and investing in several industries, which resulted in market-wide cutbacks in response to economic downturns.
On the other hand, sometimes capacity exceeds tolerance. A brand may have the resources and flexibility to invest in more uncertain initiatives but decide against doing so out of overestimated risk, or underestimated potential returns. This is, in essence, what occurs whenever a long-standing corporation is forced out of business by major technological or market disruption.
Breaking down the definitions helps more accurately pinpoint where problems are in the decision-making process, and how those problems should be addressed to successfully correct them.
Risk Tolerance vs Risk Capacity vs Risk Appetite vs Risk Attitude: Which Is Most Important?
As mentioned above, dealing with risk in business has a lot in common with gambling. And as any seasoned gambler, investor, or entrepreneur will tell you: the most dependable long-term strategy is to only bet with money you can afford to lose.
You must know your risk capacity to know what kinds of losses can be effectively absorbed without unduly interfering with the business. Moreover, identifying the thresholds between cautious, optimistic, unrealistic, and dangerous investments can’t be done without that baseline capacity measurement.
Whether more aggressive or prudent business decisions are the wisest will vary by timeframe, circumstance, and hundreds of other factors. But none of those cost/benefit discussions can happen effectively until you have hard figures for what’s available to bet with, and what’s at stake in the event of a loss.
So, even without a more comprehensive risk management approach, it’s critical to have accurate, quantifiable measurements of the org’s risk capacity before anything else.
Calculating Risk Capacity and Risk Tolerance
Unfortunately, there’s no universal standard for measuring or calculating risk capacity (let alone risk tolerance). Industry best practices can help you build an initial baseline, but with the high complexities involved in analyzing risk, it’s often a good idea to consult third-party experts, tools, and resources.
That said, even when you enlist external support for the effort, they’re likely to focus on widely accepted major factors. Let’s take a look at risk capacity and risk tolerance separately.
Risk Capacity Factors
When enterprise risk management (ERM) professionals evaluate and calculate risk capacity, they will often use a system of metrics and measurements they’ve developed internally. As already mentioned, there’s no common standard for even quantitative risk measurements like this, so different consultancies will base their analysis on slightly different factors.
In general, however, a few are broadly accepted as best-practice values to base these measurements on. Most common among them are the following three:
- Your current assets and liabilities
- Your projected future, low-uncertainty profit, and loss values
- Historical data regarding your industry, your brand, and your markets
This is the same process used when a consumer applies for an auto loan—they are evaluated for their level of risk. Businesses often have the advantage of larger data sets and more accurate data, which can lead to more reliable capacity calculations. But it’s not foolproof in either direction, and the measurement may over- or underestimate by a fair amount.
Risk Tolerance Factors
As a psychologically driven, qualitative value, risk tolerance is a lot harder to convert into a numerical figure. Most risk management professionals will at least begin this process with a survey to gauge risk aversion, acceptable levels of volatility, and expectations of success. And in many cases, the particular factors measured will mimic those used for risk capacity.
For example, a risk tolerance assessment may examine:
- Your current portfolio (be that stock investments, current business cash flow, average risks and profits in your industry, etc.)
- Relevant timeframes (rate of spend, current assets/resources, major milestones, etc.)
- Environmental, circumstantial, and other factors outside your direct control
But there are also more fluid and subjective aspects that have to be accounted for. For example, current objectives and goals and self-defined “fail states.” And, most confoundingly, there are distinct human aspects to measuring risk tolerance. Individual comfort level, for one, can be completely unmoored from actual data and heavily biased.
Those who have yet to experience a major loss, either personally or professionally, may be unduly optimistic in their projections and expectations. Meanwhile, those dealing with downturns may express an unproductive level of risk aversion, even when hypothetical scenarios postulate higher levels of certainty and potential returns.
Regarding investment portfolios, an individual’s age can be a factor, with time in the market determining the potential benefit or danger a high-risk venture poses.
Listing all possible relevant factors here would be difficult, especially without narrowing the focus to particular categories of risk and business decisions. But, inventoried or not, these factors are still at play in your risk tolerance.
Regulating Risk Tolerance for Better Outcomes
Going a step further, both tolerance and capacity can fluctuate—often dramatically so—over weeks, months, or years. Accounting for these variables and inconsistencies can be difficult, especially for risk tolerance, which can pendulum swing back and forth based on many factors, including an individual’s perceived personal “luck.”
But does “feeling lucky” unduly impact business decisions, financial outcomes, or success for the organization as a whole?
Yes, in fact. And often without anyone recognizing the self-sabotage.
How Risk Tolerance Impacts Business Decisions
If you’ve ever stopped for coffee on the way to the office when you were already running behind, assuring yourself that you can still make it on time—especially if you ultimately proved yourself wrong—you’ve seen how risk tolerance can result in biased decision-making.
Higher stakes, however, do not always guarantee wiser decisions or even higher revenue.
Be aware that undue caution can be just as dangerous as undue confidence. Knowing how to identify low-risk opportunities or decisions with justifiably high risk levels is as important to business success as knowing “when to fold” is.
The primary problem is that many professionals will trust initial instincts, not data or experts’ advice. It goes without saying that leaning on the same biased judgment that led to a splurge purchase when debating a billion-dollar merger is poor business strategy.
How to Manage Risk Tolerance
What’s important to keep in mind is that, for risk capacity especially, just taking the time to measure, assess, and analyze your relation to risks can improve decisions and outcomes. Merely having data-backed risk capacity figures that indicate how a given loss will impact the bottom line, for example, can provide a reality check to decision-makers who currently harbor an extremely high or low risk tolerance.
For those with more reasonable tolerance levels, accurate risk capacity figures can validate their current estimation of the factors at play, empowering them to make and implement decisions more confidently and effectively.
And risk tolerance benefits dramatically from a little self-awareness and introspection. Biases typically go undetected (on a personal and organizational level) as long as they go unexamined. Taking inventory of logical and analytical fallacies that influence your risk tolerance can make it easier to compensate for them.
Ultimately, this is where risk attitude comes into play. Once you’ve evaluated risk tolerance and risk capacity and found a recurring discrepancy, you can start to plan accordingly. Applying a more reserved, cautious methodology when tolerance is high and capacity is low, for example, or committing to a more aggressive policy when capacity is generous but tolerance is too restrictive.
Risk Tolerance vs Risk Capacity in Cybersecurity
Now, thus far, much of this discussion has been directed toward forward-facing risk management. New opportunities for potential growth, possible future disruptions and downturns, etc. But many areas of risk analysis deal with issues inherent in the systems we already use, whether we know it or not.
Such is the case with cybersecurity, privacy concerns, compliance issues, etc.
In the last two decades, there’s been a meteoric rise in cyber threats, major breaches, and increasingly strict regulatory legislation as governments attempt to address these problems. It’s a complex, messy, and expensive issue for all involved, but it’s also a tangled nest of risks that affect virtually everyone who touches a digital device—both professionally and in their personal lives.
And, unlike many risk management topics, Infrastructure and Operations (I&O) matters have an added layer of technical difficulty that makes analysis, strategy, and remediation frustrating for all involved.
Regarding digital systems, the risk capacity is often measured and calculated by the technical teams—IT departments, InfoSec staff, software and DevOps teams, etc. These professionals have the expertise to understand the systems at play, the potential areas of vulnerability, the likelihood of losses, and the cost of responding to disasters after the fact.
On the other hand, risk tolerance is usually determined by the members of leadership that make budget decisions for those technical teams. And while some senior staff may have first-hand technical expertise, not all of them will in most instances. It’s even possible for management teams to consist entirely of professionals with business experience, not technical experience.
Whenever there’s a separation between those who quantify risk factors and those who decide how to handle them, there is a dangerous inclination to dismiss concerns that aren’t fully understood.
This dynamic occurs all too frequently in organizations of nearly every size. Tech teams may call for dramatic, immediate changes without knowing the financial context in which such an expense would fit into. And management teams are often tasked with making hard budget decisions without a way to personally calculate or prioritize I&O investments.
Such misalignments have been around almost as long as System Administrator has been a distinct career. But accepting the status quo on this topic is much more dangerous than it used to be. These days, digital systems carry a disproportionate amount of risk factors and potential losses. And problems like these won’t simply go away if ignored long enough.
Security concerns don’t spontaneously disappear. They just turn into GRC landmines.
How RiskRecon by Mastercard Can Help
“Risk” can refer to a broad range of uncertain business outcomes, and addressing the entire portfolio of vulnerabilities for the organization will likely require more than a single tool, tactic, or strategy.
Whether you're vetting vendors and partners for security risks, attempting to minimize vulnerable attack surfaces in your own system, or preparing to meet new IT compliance standards, RiskRecon by Mastercard can help. Don't let unmanaged cyber risk and unknown risk tolerance biases negatively impact your organization. Get proactive, and get the intel you need to build winning strategies.