Key messages: Risk tolerance needs to be defined not just the appetite
Risk tolerance is defined as the
“organization’s readiness to bear the risk after risk treatments in order to achieve its objectives,
NOTE Risk tolerance can be limited by legal or regulatory requirements.”
When these definitions are compared it would seem that a reasonable assertion is that risk appetite is considered pre-treatment and risk tolerance is used in conjunction with residual risk as defined in the standard
“risk remaining after risk treatments.
NOTE 1 Residual risk can contain unidentified risk.
NOTE 2 Residual risk is also known as retained risk”
Courtesy of Dreamstime
As a post-treat consideration.
In my previous article around risk appetite I expressed the view that risk appetite was something to be applied pre-treatment.That being the case then the first pass of the risk analysis requires risk assessors to assume that there are no controls in place.
In other words, as if it was a “greenfields” proposition. It is my strong belief that if you consider the first pass analysis with controls in place then there will be a tendency to underestimate the probability and impact of each risk event. In addition, it also assumes that the controls believed to be in place are the right tools to mitigate the threat and will work as expected should that threat actually eventuate.
Note I am focusing on threats in this article not opportunities. It also should not be assumed that when considering opportunities, it is simply the reverse thinking that was applied to threats.