RISK APPETITE: how much risk an organization is willing to take on to ensure it has ample opportunity to achieve its objective
RISK TOLERANCE: communicate the appropriate level at which a risk must be managed to be considered acceptable. Risk tolerance is not defined as a single finite number, but rather as a tolerable zone or range of values where an operational risk is neither under-managed nor over-managed. When a risk is under-managed, existing management activities and practices around that risk do not produce enough certainty that operational objectives will be achieved.
When a risk is over-managed, the amount of certainty produced by existing management activities and practices does not merit the investment of time, effort, and resources dedicated to the risk and would be better applied elsewhere.
No comments:
Post a Comment