New guidance from ISACA provides context on how enterprises can understand, communicate and apply risk terms to better manage risk tolerance.
ISACA’s white paper Using Risk Tolerance to Support Enterprise Strategy identifies key benefits of risk tolerance, such as supporting conscious and informed risk taking, promoting consistent risk management practices and structuring the executive conversation around risk taking. Effective approaches to implementing risk tolerance provide transparency around the risk management process and strengthen understanding of the enterprise’s risk profile.
According to the white paper, “the combination of risk capacity, risk appetite and risk tolerance create the strategic and operational boundaries for required successful risk-based decision-making and provide an opportunity to review implications of objectives and determine required action.”
As Mary Carmichael wrote in a related ISACA Now blog post, “Conceptually, risk tolerance sets the boundaries of risk taking that the organization will not go beyond in pursuit of its long-term objectives. To support boundary setting, measures such as key risk indicators are used to align with risk tolerance limits, ensuring that the organization remains in its risk appetite and on track to achieve its objectives.”
ISACA’s Risk IT Framework, 2nd Edition, free to members, uses risk tolerance when choosing risk response options. Depending on the timing, probability and magnitude of a risk, the board might be involved in approving a risk response.
Download Using Risk Tolerance to Support Enterprise Strategy at www.isaca.org/using-risk-tolerance-to-support-enterprise-strategy.