Appetite, tolerance, capacity: the triad that separates juniors from seniors
Opening — the day the ExCom discovered it had two appetites
Sofia, head of risk assurance at a pharma group (€4.3bn revenue), prepares her annual ERM audit. She opens the risk-appetite statement approved by the Board last year. Page 1: "The group has a moderate appetite for regulatory risk." Page 14: "The group accepts high risks in R&D to support innovation." Page 27, annex: "Zero tolerance for any risk that may lead to human harm."
Three statements, three logics. None is wrong. But none is linked to the rest of the enterprise. That is exactly the problem the CRMA is built to detect — and the appetite / tolerance / capacity triad is the diagnostic tool.
The triad on one page
| Concept | Level | Who decides | Horizon |
|---|---|---|---|
| Risk Appetite | Strategic | Board / ExCom | Long term |
| Risk Tolerance | Tactical | Operational management | Annual / per objective |
| Risk Capacity | Structural | Balance-sheet / regulatory limits | Permanent |
Appetite says: "here is what we are willing to take as risk to achieve our objectives." Tolerance says: "on this specific objective, here is the maximum deviation from appetite I allow." Capacity says: "here is the absolute maximum the structure can absorb without breaking."
Why a non-operationalised appetite is useless
Sofia’s problem: the appetite statement existed, but no one had defined operational tolerances. Consequence: every BU interpreted "moderate" differently. The US sub operated with an implicit tolerance of 80% of EBIT. The French sub at 15%. Neither was wrong; neither was aligned.
The four operationalisation tests
For an appetite to be auditable, it must pass four tests:
- Measurable — expressed in clear quantitative or categorical metrics.
- Translated — broken down by strategic objective and BU into tolerances.
- Monitored — KRIs / KPIs tied to it, with alert thresholds.
- Governed — a committee reviews deviations at least quarterly.
How Sofia reframed the ExCom in 30 minutes
Sofia presented one table: the appetite × BU × KRI matrix. Each cell was either green (KRI calibrated to tolerance), orange (KRI exists but not aligned), or red (no KRI). Out of 36 cells, 22 were orange or red. The ExCom immediately saw the issue: it wasn’t about revising appetite, it was about building the translation.
Six months later, the Board approved a new appetite statement together with 47 quantitative KRIs. Sofia recorded this work in her ERM assurance report as a major maturity improvement, level 4 out of 5 (IIA Risk Maturity Model).
Key takeaways
- The triad: Appetite (strategic) > Tolerance (tactical) > Capacity (absolute).
- Operationalisation is the audit prerequisite — a non-translated appetite is useless.
- The 4 tests: measurable, translated, monitored, governed.
- CRMA assurance: audits the translation and the monitoring, not the statement.
Preview of one chapter. Each cert includes 100+ narrative chapters with callouts, comparison tables and inline AuditBot.