Risk management is all about ensuring you both understand and optimize the amount of risk your organization is taking in pursuit of strategy. It’s not about getting rid of risk, it’s about taking the “right” amount. There are a number of terms that are sometimes used in differing ways in various organizations, here is one perspective on how they should be defined:
Risk capacity: This defines what your organization is able to bear in terms of amount and type of risk. Differs from appetite because not every organization is willing to gamble everything on every new strategy that comes along. Some are, depends on who is leading and what is at stake.
Risk appetite:This is what your organization is willing to accept in terms of risk, in pursuit of the strategy. How far is the board willing to go? Something every CEO needs to know.
Risk tolerance: Tolerance is the maximum amount of risk acceptable, specific to your major risks or areas of appetite. Not intended to replace the balanced scorecard, this is a broader, longer term perspective within which the executive builds business plans.
Risk target: The ideal level of risk you want to take in pursuit of your strategy. Your organization may find itself offside with certain risk levels (above or below) when you first define all this. Only way to find out is to build this framework.
Being clear on what is expected, and where you currently stand, is a very good thing.