Risk Management

Risk Appetite vs Risk Tolerance: Key Differences

Standarity Editorial Team·CRISC-Certified IT Risk Practitioners
··6 min read

Risk appetite is the broad amount of risk an organisation is willing to accept in pursuit of its objectives, set by the board. Risk tolerance is the narrower, measurable boundary of acceptable variation within that appetite for a specific risk or objective. In short, appetite is strategic and tolerance is operational.

The core difference in plain terms

The two terms are constantly confused, and that confusion has real cost because it leaves teams unsure when to escalate. The cleanest way to hold them apart is by altitude. Appetite is the high-level posture the board adopts toward risk overall: how much it is willing to put at stake to grow. Tolerance is the precise, usually quantified limit that operational teams must stay within for a given category of risk.

A familiar analogy is a highway. The posted speed limit is the appetite, the agreed statement of how fast traffic should move. The point at which police actually start issuing tickets is the tolerance, the operational boundary that signals the limit has been breached. One sets direction; the other triggers action.

How appetite and tolerance relate

Tolerance always lives inside appetite. The board first agrees the appetite as a strategic statement, and management then translates it into specific tolerances and risk limits that can be monitored. Appetite tends to be qualitative and durable, changing rarely. Tolerance is quantitative and granular, expressed as thresholds that can be checked daily or weekly.

  • Appetite is strategic; tolerance is tactical and operational.
  • Appetite is set by the board and senior management; tolerance is set by management within that mandate.
  • Appetite is usually qualitative; tolerance is usually quantitative, with defined numbers.
  • Appetite is broad and applies across the enterprise; tolerance is specific to a risk, objective or business unit.
  • Appetite changes rarely; tolerance is monitored continuously and can be tuned more often.

A worked example with numbers

Imagine a payments company. Its board issues an appetite statement: "We will not accept risks that could cause a significant loss of our core revenue base." That is direction, but you cannot monitor it directly. So management converts it into tolerances.

One tolerance reads: "Revenue from our top 10 customers must not decline by more than 10 percent in any quarter." Another, for IT, reads: "Unplanned downtime of the payment gateway must not exceed 45 minutes per month." These are testable. If concentration risk pushes top-customer revenue down 8 percent, the team is inside tolerance but should be watching closely. At 11 percent, tolerance is breached and escalation is mandatory, even though the broad appetite statement never mentioned a single number.

ISACA notes that organisations frequently conflate risk appetite and risk tolerance, and that the distinction matters because tolerance is what makes appetite measurable and enforceable in day-to-day decisions (ISACA, 2022).

How the board sets appetite

Setting appetite is a board-level act, not a back-office exercise. In practice the board considers strategy, stakeholder expectations, capital strength and regulatory obligations, then articulates how much risk it will accept to reach its goals. The output is usually a short risk appetite statement covering the main risk categories, such as financial, operational, cyber, compliance and reputational, sometimes with a directional indicator of whether appetite is low, moderate or high for each.

Management then carries that statement down into the organisation, translating each category into tolerances and limits that frontline teams can actually use. This top-down flow is what keeps everyday decisions aligned with the strategy the board signed up to.

Mapping to KRIs and risk limits

Tolerance is where key risk indicators earn their keep. A KRI is a metric that tracks how close a risk is to its tolerance threshold, giving an early warning before a limit is breached. The downtime tolerance above becomes a KRI dashboard tile; the customer-concentration tolerance becomes a monthly trend line. Well-designed KRIs include a green, amber and red band so that approaching a limit prompts action before the limit is actually crossed.

This is also where appetite and tolerance connect to treatment. When a KRI moves into amber, it signals that residual risk is drifting toward the edge of tolerance, which should trigger a review of controls. Our guide to ISO 31000 risk management walks through that monitoring-and-review loop in detail.

Framework framing: ISO 31000 and COSO ERM

Both major frameworks address these ideas, with slightly different vocabulary. ISO 31000 frames risk management around establishing context, then assessing and treating risk against criteria the organisation defines, which is effectively where appetite and tolerance live. COSO ERM is more explicit, naming risk appetite as a central concept and linking it directly to strategy and performance, with tolerance expressed as the acceptable variation in performance relative to objectives.

The practical takeaway is the same regardless of framework. Appetite without tolerance is a slogan that no one can act on, and tolerance without appetite is a set of numbers with no strategic anchor. You need both: the board sets the appetite, management converts it into measurable tolerances and limits, and KRIs keep everyone honest in between. Teams preparing for credentials such as CRISC should be able to move fluently between the two, because the exam tests exactly this judgement.

Common confusions to avoid

A few recurring mistakes undermine even well-intentioned programmes. The first is treating an appetite statement as a control: it sets direction but cannot be monitored on its own, so it must be backed by tolerances. The second is setting tolerances that no one owns, which means breaches are noticed but never escalated. The third is letting appetite and tolerance drift apart over time, so the limits teams monitor no longer reflect the strategy the board endorsed.

In our experience the fix is a simple annual cycle. Reconfirm the appetite at board level, re-derive the tolerances and limits beneath it, check that every tolerance has a named owner and a live KRI, and retire any metric that no longer maps to a real objective. Done consistently, that keeps the strategic intent and the operational reality pointing in the same direction.

Frequently Asked Questions

What is the difference between risk appetite and risk tolerance?

Risk appetite is the broad, strategic amount of risk an organisation will accept to meet its objectives, set by the board. Risk tolerance is the narrower, measurable boundary of acceptable variation within that appetite for a specific risk.

Can you give an example of risk appetite vs risk tolerance?

A board may state an appetite of not accepting risks that threaten the core revenue base. Management then sets a tolerance such as revenue from the top 10 customers not falling more than 10 percent in a quarter. The first is direction; the second is a testable limit.

Who sets risk appetite in an organisation?

The board of directors and senior management set risk appetite, reflecting strategy, stakeholder expectations, capital and regulatory obligations. Management then translates that appetite into specific tolerances and limits for operational teams.

How does risk tolerance relate to key risk indicators?

Key risk indicators measure how close a risk is to its tolerance threshold. With green, amber and red bands, a KRI gives early warning so teams can act before a tolerance limit is actually breached.

How do ISO 31000 and COSO ERM treat risk appetite and tolerance?

ISO 31000 embeds them in risk criteria set during context-setting and evaluation. COSO ERM names risk appetite explicitly and ties it to strategy and performance, with tolerance as acceptable variation relative to objectives.

Is risk tolerance always quantitative?

Usually yes. Tolerance is typically expressed in numbers, such as thresholds, percentages or time limits, so it can be monitored. Risk appetite, by contrast, is more often a qualitative, strategic statement.

Explore Courses on Udemy

Intermediate

ISO 31000: Risk Management Implementation Step by Step

Intermediate

Risk Management For Busy Learners

Intermediate

CRISC Certification — IT Risk Management with AI Tools