Risk Appetite vs Risk Tolerance: What's the Difference?

Definitions

Risk Appetite

The amount and type of risk an organisation is willing to pursue or retain to achieve its strategic objectives. It's a strategic, board-level statement about how much risk the organisation wants to take.

Think of it as: "How hungry are we for risk?"

Risk Tolerance

The acceptable level of variation around objectives that the organisation is willing to accept. It's the operational boundary within which risk must be managed—the specific thresholds and limits.

Think of it as: "How much deviation can we stomach?"

A Practical Analogy

Consider driving a car:

Risk Appetite: Your general approach to driving—are you a cautious driver who prefers safety, or do you accept more risk for faster journeys?
Risk Tolerance: The specific limits you set—never exceeding 80mph, always maintaining a 2-second gap, avoiding driving in heavy rain.

Risk appetite is strategic and qualitative; risk tolerance is operational and quantitative. Appetite guides strategy; tolerance guides day-to-day decisions.

Risk Appetite in Practice

Appetite Statement Examples

Conservative: "We have minimal appetite for risks that could impact customer data security or regulatory compliance."
Moderate: "We accept moderate operational risks where potential returns justify the exposure and controls are in place."
Aggressive: "We actively pursue strategic risks that offer significant growth opportunities, accepting higher uncertainty."

Appetite Categories

Organisations typically define appetite across multiple risk categories:

Strategic risk
Financial risk
Operational risk
Compliance/regulatory risk
Reputational risk
Technology/cyber risk

Risk Tolerance in Practice

Quantified Tolerance Examples

Financial: Maximum acceptable loss of £500,000 per incident; annual risk-related losses not to exceed 2% of revenue
Operational: System availability must remain above 99.5%; maximum acceptable downtime of 4 hours per quarter
Compliance: Zero tolerance for material regulatory breaches; minor findings must be remediated within 30 days
Cyber: Critical vulnerabilities must be patched within 72 hours; no more than 5 high-severity incidents per year

How They Work Together

Risk appetite and tolerance form a hierarchy:

Board sets risk appetite: Strategic direction on acceptable risk levels
Management defines tolerances: Specific thresholds aligned with appetite
Operations monitor against tolerances: Day-to-day risk management
Breaches escalate: Tolerance breaches trigger review and response

Common Mistake: Setting tolerances that don't align with appetite. If your appetite is "minimal" for cyber risk but your tolerance allows 30 days to patch critical vulnerabilities, there's a disconnect.

Implementing Effective Statements

Risk Appetite Best Practices

Approved by the board and reviewed annually
Aligned with strategic objectives
Communicated throughout the organisation
Differentiated by risk category
Supported by clear rationale

Risk Tolerance Best Practices

Quantified where possible
Measurable and monitorable
Cascaded to operational levels
Linked to KRIs and reporting
Reviewed when appetite changes

Common Pitfalls

Vague Statements: "Low appetite for risk" without context is meaningless
Set and Forget: Appetite and tolerance must evolve with the business
Misalignment: Tolerances that contradict stated appetite
No Consequences: Tolerance breaches without escalation or action
One Size Fits All: Same appetite across all risk categories

Conclusion

Risk appetite and risk tolerance are complementary concepts that together enable effective risk governance. Appetite provides strategic direction; tolerance provides operational boundaries. Both must be clearly defined, properly aligned, and actively monitored.

Start with your strategic objectives, define appetite statements that support them, then translate those into measurable tolerances. Regular review ensures they remain relevant as your organisation and risk landscape evolve.