Risk appetite vs risk tolerance: two concepts too often confused

Risk appetite vs risk tolerance often gets treated as a vocabulary debate. The two concepts do however different jobs in a risk framework, sit at different levels of an organisation, and break in different ways when they are misused.

Using them as synonyms is not just imprecise. It produces frameworks where the board sets a direction nobody can act on, or where teams are managing to thresholds that were never actually agreed.

In this article we describe where the distinction actually sits.

Why the confusion persists, even among experienced practitioners

Part of the problem is the standards themselves. ISO 31000 defines risk appetite as "the amount and type of risk that an organisation is prepared to pursue, retain, or take." COSO describes it as "the types and amounts of risk an entity is willing to accept in pursuit of value." The Institute of Risk Management's guidance separates appetite from tolerance but acknowledges that the terms overlap in common usage.

When the authoritative bodies each frame things slightly differently, it is unsurprising that practitioners land in different places.

The other problem is that both terms are abstract until someone does the work of making them concrete. And that work is genuinely hard, so it often does not get done. The result: a risk appetite statement sits in a policy document, risk tolerance is never defined at all, and both terms get used interchangeably in board reports and risk workshops until nobody is quite sure what they mean.

Risk appetite: the strategic speed limit

Here is the analogy that makes the distinction stick: risk appetite is the speed limit. It is a strategic, directional statement about how fast your organisation is prepared to travel in pursuit of its objectives. Set at the top, applicable broadly, and rarely expressed as a single number.

A well-written risk appetite statement for a mid-sized logistics company might read:

"We accept moderate operational risk in our core delivery network in pursuit of growth, but we have zero appetite for risks that could result in regulatory penalties, safety incidents, or material data breaches."

Notice what that statement does and does not do. It gives direction. It signals priorities. It tells the leadership team what kinds of risk are acceptable trade-offs for growth and what kinds are not. But it does not tell a warehouse manager whether a specific supplier risk is acceptable. That is not its job.

Risk appetite is set by the board or senior leadership. It applies to the organisation as a whole, or to strategic categories of risk. It is qualitative in nature: it describes intent and direction, not precise numbers. And it should be reviewed when strategy changes, not just at year-end.

Risk tolerance: where the line actually sits

Risk tolerance is how far above the speed limit you are prepared to go before you act.

If the appetite statement says "we accept moderate operational risk," tolerance answers the question: what does moderate mean for this specific risk, in this business unit, right now?

A risk tolerance threshold for the same logistics company, applied to a specific supplier concentration risk, might read:

"No single supplier should account for more than 30% of critical route capacity. If concentration exceeds 25%, a review is triggered. If it exceeds 30%, escalation to the risk committee is required."

That is a risk tolerance statement. It is specific, measurable, and actionable. It tells a risk coordinator exactly when to flag something. It gives the risk committee a defined threshold for escalation. And it connects directly back to the appetite: "moderate operational risk" now means something a team can actually check.

Risk tolerance operates at the level of individual risks, risk categories, or business units. It is typically quantitative, or at minimum expressed as a defined range. It is set by management (not the board), reviewed more frequently, and should be visible to anyone who owns a risk in that area.

The layer beneath: risk threshold

Some frameworks introduce a third term: risk threshold. This is the specific point at which a risk score, metric, or indicator triggers a mandatory response. Think of it as the speed camera. Not just a limit, but an automatic consequence.

In practice, many organisations skip this level and work with just appetite and tolerance. That is fine. What matters is that the tolerance level is defined and someone is watching it.

What breaks when you blur the distinction

Here is a real pattern we see in small and mid-sized enterprise risk frameworks. A company writes a risk appetite statement at the start of their risk process. It is reasonable and well-intentioned. But nobody then defines risk tolerance thresholds for the individual risks on their register. The appetite statement becomes the default reference for everything.

The result plays out in two ways:

Over-management of acceptable risks. A team sees a risk score that is technically within the board's appetite but interprets the broad appetite language as a reason to escalate. Time and resource go into managing a risk that the board would consider acceptable.

Under-management of real exposures. A risk quietly drifts into territory the board would not accept, but because nobody defined a tolerance threshold, no one flags it. The risk register shows an owner and a score. Nothing shows that the risk is breaching any limit.

Both failures come from the same root cause: the strategic intent at appetite level was never translated into operational boundaries at tolerance level.

If you want to understand the broader cycle this fits into, our article on the risk management cycle explains why the steps from identification through to monitoring are rarely as linear as the textbooks suggest, and where organisations most commonly stall.

How to write a risk appetite statement that actually works

A useful risk appetite statement has three qualities.

First, it is differentiated by category. Saying "we have a moderate risk appetite" is nearly useless. Saying "we have low appetite for compliance and safety risk, moderate appetite for operational risk, and higher appetite for strategic and reputational risk in new markets" gives people something to work with.

Second, it acknowledges trade-offs explicitly. Risk appetite should reflect your strategy. If you are in a growth phase, your appetite for strategic and operational risk is likely higher than if you are consolidating. The statement should say so.

Third, it connects down to tolerance. A risk appetite statement that does not generate measurable tolerance thresholds beneath it is a policy artifact. The test is simple: can a risk manager look at a specific risk and determine, from the tolerance thresholds, whether it is within appetite? If not, the statement is not doing its job.

How to define risk tolerance thresholds that people will actually use

Most risk tolerance frameworks fail not because the numbers are wrong, but because the thresholds are either not documented anywhere near the risks they apply to, or they are defined once and never reviewed.

Some practical principles:

Anchor tolerance thresholds to real consequences, not scores. "A risk score above 15 requires escalation" is less useful than "a risk that could result in revenue impact greater than €500k, or downtime exceeding 48 hours, requires escalation to the executive team." Scores are proxies. Thresholds defined in business terms survive longer and get used more consistently.

Define thresholds per category, not per risk. You do not need a unique tolerance statement for every risk on your register. Define thresholds for each risk category (operational, financial, compliance, strategic) and apply them across the relevant risks. This is manageable and scalable.

Make the tolerance visible to the owner. The person responsible for a risk should be able to see, without going looking, whether their risk is within tolerance. If the threshold is buried in a policy document, it will not be used.

For a fuller look at how scoring feeds into this, and the honest limitations of likelihood-impact grids, our piece on what risk management actually is in practice covers the foundations without padding them out.

Risk appetite and risk tolerance in enterprise risk management

In enterprise risk management frameworks, appetite and tolerance work as a cascade. The board sets strategic appetite. Management translates that into tolerance thresholds by category and business unit. Risk owners manage to those thresholds. The risk register surfaces which risks are approaching or breaching tolerance. The board gets a summary.

When this cascade works, risk management is genuinely connected to strategy. When it breaks (usually because the translation step from appetite to tolerance is skipped) the board talks about risk in broad terms, teams manage risks without knowing whether they are within acceptable limits, and the annual risk report reflects neither.

The cascade does not require a complex enterprise platform. It requires clear definitions, documented thresholds, and a register where risk scores are visible alongside the limits they are meant to respect.

Where Risk Companion fits in

Risk Companion's risk register gives every risk an owner, a score, and a next action. Nothing falls through the cracks. The risk score (likelihood multiplied by impact, on a 5x5 grid) gives you a consistent basis for applying tolerance thresholds across your register.

When you define tolerance thresholds by category (for example, "any compliance risk scoring above 12 requires an immediate escalation action") you can see at a glance, from the dashboard, which risks are approaching or exceeding that boundary. Overdue actions surface automatically, so nothing sits silently above threshold without someone being alerted.

Risk Companion is not a policy management tool and will not write your appetite statement for you. But once you have done the thinking described in this article, it gives your tolerance thresholds somewhere to live, alongside the risks they apply to, visible to everyone who needs to act on them.

If you want to structure that thinking before you build it into your register, our risk assessment documentation is a useful starting point.

The question worth sitting with

Here is the honest test for your current framework: if a risk on your register was silently breaching your board's risk appetite right now, would you know?

Not because the risk score is high. Because you have defined, documented, and are actively monitoring the tolerance threshold that connects that score to the board's strategic intent.

If the answer is uncertain, the problem is probably not your risk scores. It is the missing layer between appetite and register.

That layer is risk tolerance. Define it. Document it where people can see it. Review it when your risks change.

Ready to give your tolerance thresholds somewhere to live? Book a 30-minute demo and we will show you how teams use Risk Companion to connect board-level appetite to operational risk management.