Risk Appetite is an organisation's deliberate decision about how much risk it accepts β as a framework for all risk decisions, from supplier management to strategic planning.
Risk Appetite vs. Risk Tolerance
Risk Appetite and Risk Tolerance are often confused: Risk Appetite is the strategic framework β how much risk do we fundamentally want to take? Risk Tolerance is the operational threshold β what deviations from the target do we still accept? In the supplier context, risk appetite defines e.g. how many critical suppliers without backup options are accepted.
A clearly defined risk appetite is the foundation for consistent risk decisions across the organisation β including supplier management.
Risk Appetite in the TPRM context
In Third-Party Risk Management, risk appetite defines which supplier risks are acceptable. Examples: maximum concentration on one cloud provider, minimum security rating for critical suppliers, maximum number of unaudited suppliers. These limits automatically control escalation and monitoring processes in 360TPRM.
360TPRM translates the defined risk appetite into automatic thresholds β and escalates when suppliers exceed them.
Risk Appetite and regulatory requirements
NIS2 and DORA require an explicitly defined and documented risk appetite as part of risk management. Management must define and own the risk appetite. ISO 31000 defines risk appetite as a fundamental component of the risk management system.
NIS2 and DORA require documented risk appetite β verbal agreements are no longer sufficient.
FAQ
Implement Risk Appetite automatically in TPRM
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo β