Risk appetite is the broad amount of risk an organisation is willing to accept in pursuit of its objectives, set by the board. Risk tolerance is the narrower, measurable boundary of acceptable variation within that appetite for a specific risk or objective. In short, appetite is strategic and tolerance is operational.
The core difference in plain terms
The two terms are constantly confused, and that confusion has real cost because it leaves teams unsure when to escalate. The cleanest way to hold them apart is by altitude. Appetite is the high-level posture the board adopts toward risk overall: how much it is willing to put at stake to grow. Tolerance is the precise, usually quantified limit that operational teams must stay within for a given category of risk.
A familiar analogy is a highway. The posted speed limit is the appetite, the agreed statement of how fast traffic should move. The point at which police actually start issuing tickets is the tolerance, the operational boundary that signals the limit has been breached. One sets direction; the other triggers action.
How appetite and tolerance relate
Tolerance always lives inside appetite. The board first agrees the appetite as a strategic statement, and management then translates it into specific tolerances and risk limits that can be monitored. Appetite tends to be qualitative and durable, changing rarely. Tolerance is quantitative and granular, expressed as thresholds that can be checked daily or weekly.
- Appetite is strategic; tolerance is tactical and operational.
- Appetite is set by the board and senior management; tolerance is set by management within that mandate.
- Appetite is usually qualitative; tolerance is usually quantitative, with defined numbers.
- Appetite is broad and applies across the enterprise; tolerance is specific to a risk, objective or business unit.
- Appetite changes rarely; tolerance is monitored continuously and can be tuned more often.
A worked example with numbers
Imagine a payments company. Its board issues an appetite statement: "We will not accept risks that could cause a significant loss of our core revenue base." That is direction, but you cannot monitor it directly. So management converts it into tolerances.
One tolerance reads: "Revenue from our top 10 customers must not decline by more than 10 percent in any quarter." Another, for IT, reads: "Unplanned downtime of the payment gateway must not exceed 45 minutes per month." These are testable. If concentration risk pushes top-customer revenue down 8 percent, the team is inside tolerance but should be watching closely. At 11 percent, tolerance is breached and escalation is mandatory, even though the broad appetite statement never mentioned a single number.
ISACA notes that organisations frequently conflate risk appetite and risk tolerance, and that the distinction matters because tolerance is what makes appetite measurable and enforceable in day-to-day decisions (ISACA, 2022).
How the board sets appetite
Setting appetite is a board-level act, not a back-office exercise. In practice the board considers strategy, stakeholder expectations, capital strength and regulatory obligations, then articulates how much risk it will accept to reach its goals. The output is usually a short risk appetite statement covering the main risk categories, such as financial, operational, cyber, compliance and reputational, sometimes with a directional indicator of whether appetite is low, moderate or high for each.
Management then carries that statement down into the organisation, translating each category into tolerances and limits that frontline teams can actually use. This top-down flow is what keeps everyday decisions aligned with the strategy the board signed up to.
Mapping to KRIs and risk limits
Tolerance is where key risk indicators earn their keep. A KRI is a metric that tracks how close a risk is to its tolerance threshold, giving an early warning before a limit is breached. The downtime tolerance above becomes a KRI dashboard tile; the customer-concentration tolerance becomes a monthly trend line. Well-designed KRIs include a green, amber and red band so that approaching a limit prompts action before the limit is actually crossed.
This is also where appetite and tolerance connect to treatment. When a KRI moves into amber, it signals that residual risk is drifting toward the edge of tolerance, which should trigger a review of controls. Our guide to ISO 31000 risk management walks through that monitoring-and-review loop in detail.
Framework framing: ISO 31000 and COSO ERM
Both major frameworks address these ideas, with slightly different vocabulary. ISO 31000 frames risk management around establishing context, then assessing and treating risk against criteria the organisation defines, which is effectively where appetite and tolerance live. COSO ERM is more explicit, naming risk appetite as a central concept and linking it directly to strategy and performance, with tolerance expressed as the acceptable variation in performance relative to objectives.
The practical takeaway is the same regardless of framework. Appetite without tolerance is a slogan that no one can act on, and tolerance without appetite is a set of numbers with no strategic anchor. You need both: the board sets the appetite, management converts it into measurable tolerances and limits, and KRIs keep everyone honest in between. Teams preparing for credentials such as CRISC should be able to move fluently between the two, because the exam tests exactly this judgement.
Common confusions to avoid
A few recurring mistakes undermine even well-intentioned programmes. The first is treating an appetite statement as a control: it sets direction but cannot be monitored on its own, so it must be backed by tolerances. The second is setting tolerances that no one owns, which means breaches are noticed but never escalated. The third is letting appetite and tolerance drift apart over time, so the limits teams monitor no longer reflect the strategy the board endorsed.
In our experience the fix is a simple annual cycle. Reconfirm the appetite at board level, re-derive the tolerances and limits beneath it, check that every tolerance has a named owner and a live KRI, and retire any metric that no longer maps to a real objective. Done consistently, that keeps the strategic intent and the operational reality pointing in the same direction.