ELI5: What is Risk Appetite vs. Risk Tolerance?
Risk appetite is how adventurous you are in general — “I like roller coasters.” Risk tolerance is your specific limit — “but not ones that go upside down.” Companies set both to know how much risk they’re willing to take overall and where the hard line is.
Definition
Risk appetite is the broad, strategic statement of how much risk an organization is willing to accept in pursuit of its objectives — set by the board and senior leadership. Risk tolerance is the more specific, operational measure of acceptable variation around the risk appetite — the acceptable deviation before action must be taken. Together, they define the boundaries within which the organization operates regarding risk-taking and risk acceptance decisions.
Key Details
- Risk appetite: strategic, qualitative, board-level — “We will not accept risks that could cause financial losses exceeding $10M” or “We have a low appetite for regulatory compliance risk”
- Risk tolerance: operational, quantitative — “We will alert if patch coverage drops below 95%”; “We will escalate if residual risk rating exceeds High”
- Risk appetite is set before risks are identified; risk tolerance translates appetite into measurable thresholds
- Risk capacity is a related concept: the maximum risk an organization can bear without failing — the absolute ceiling
- Exam tip: appetite = strategic “how much risk are we willing to take?”; tolerance = operational “how much deviation is acceptable?”
Connections
- Parent: risk-management — appetite and tolerance define the boundaries of acceptable risk across the organization
- See also: residual-risk
- See also: risk-register