Glossary
Risk Appetite vs Risk Tolerance
Risk appetite is how much risk an organisation is willing to seek out; risk tolerance is the maximum level of risk it can absorb before it must act.
Risk appetite vs risk tolerance at a glance.
| Dimension | Risk appetite | Risk tolerance |
|---|---|---|
| What it is | How much risk the organisation seeks (strategic) | The maximum risk it can absorb before action (operational) |
| Time horizon | Strategic — set annually or at major change | Operational — applied per risk, per project, per period |
| Set by | Board / sponsor | Risk owner / project sponsor within appetite |
| Expressed as | Qualitative posture (low / medium / high) or confidence-level thresholds (e.g. fund to P80) | Quantitative threshold (e.g. escalate any risk > £500k EMV) |
| Project-controls impact | Drives target confidence level for funding submissions | Drives the escalation and contingency-drawdown rules |
| Analogy | The speed limit | The point at which the alarm sounds |
| Standards reference | ISO 31000:2018, IRM Risk Appetite Statement Guidance | ISO 31000:2018 clause 6.3.4 (criteria), COSO ERM 2017 |
Also known as: risk tolerance vs risk appetite, difference between risk appetite and risk tolerance, risk appetite and tolerance, appetite vs tolerance
Risk appetite and risk tolerance are related but distinct concepts that define an organisation's posture towards risk. Risk appetite is a strategic statement: the broad amount and type of risk that the organisation is willing to accept in pursuit of its objectives. It is often expressed qualitatively — 'we have a low appetite for safety risk but a higher appetite for innovation risk' — or through approved confidence level thresholds for project delivery. Risk tolerance is more operational: the specific maximum level of risk exposure that the organisation can absorb before it must take action to reduce it. Think of appetite as the speed limit and tolerance as the point at which the speedometer triggers an alarm.
In project controls practice, risk appetite and tolerance manifest most clearly in decisions about contingency and target completion dates. An organisation with a low risk appetite for cost overrun will fund projects to P80 or P85; one with higher appetite might accept a P50 funding level. Risk tolerance drives the escalation process: if an individual project risk exceeds a defined financial threshold, it must be escalated to the sponsor or board. These thresholds are most effective when they are set explicitly at the start of the project rather than applied retrospectively.
The most common problem is that risk appetite and tolerance are either undefined or defined but not used. Risk appetite statements in governance frameworks often sit in a document that is reviewed annually and otherwise ignored. To be useful, appetite and tolerance need to be translated into specific decision rules: at what probability-weighted cost does a risk get escalated? What confidence level must the cost estimate achieve before the project can be approved for execution? Connecting the risk framework to these practical decisions is what makes it live rather than decorative.
Frequently asked
- What is the difference between risk appetite and risk tolerance?
- Risk appetite is how much risk the organisation is willing to seek out in pursuit of its objectives — a strategic posture set by the board. Risk tolerance is the maximum level of risk exposure the organisation can absorb before it must take action — an operational threshold applied per risk or per project. Think of appetite as the speed limit and tolerance as the point at which the speedometer triggers an alarm.
- Which is set first, risk appetite or risk tolerance?
- Risk appetite comes first. It is a strategic statement set by the board or executive that defines the organisation's broad posture towards risk. Risk tolerances are then set within the appetite — operational thresholds for specific risk categories or projects that translate the strategic posture into decision rules.
- How does risk appetite translate into project controls decisions?
- Most directly via the target confidence level for funding submissions. An organisation with low appetite for cost overrun will fund to P80 or P85; one with higher appetite might accept P50. Appetite also drives delegation rules — what level of risk can be accepted at project level versus escalated to portfolio or board.
- Is risk tolerance the same as risk threshold?
- Effectively yes. ISO 31000 uses the term "risk criteria" for the thresholds that distinguish acceptable from unacceptable risk levels — in practice these are commonly called risk tolerances or risk thresholds. They are the trigger points for escalation, mitigation, or contingency drawdown.
- Why do organisations get the appetite-tolerance distinction wrong?
- Because appetite is typically set in a governance document that nobody references during day-to-day decisions, while tolerances are set ad hoc by individual project managers. The fix is to make the appetite statement live — translate it into specific decision rules (confidence levels, EMV thresholds, escalation triggers) and test it against actual decisions in post-implementation reviews.
Related terms
Putting these techniques into practice?
SOMA provides independent project controls consultancy for UK programmes. We can help you apply QRA, EVM, schedule risk analysis, and more.