Risk appetite and risk tolerance are two of the most frequently confused terms in enterprise risk management. Many organisations use them interchangeably, which creates confusion in boardrooms, risk committees, and operational teams alike. Getting the distinction right is not academic — it directly affects how your organisation makes decisions, sets strategy, and monitors risk exposure. This guide explains both concepts in plain language, shows how they work together, and provides practical guidance on setting and using each one.
What Is Risk Appetite?
Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its strategic objectives. It is a broad, strategic statement set by the board or governing body that reflects the organisation's overall attitude to risk-taking.
Risk appetite answers a simple question: "How much risk are we prepared to take to achieve our goals?"
Risk appetite is typically expressed as a qualitative statement or a combination of qualitative and quantitative boundaries. For example:
- "We accept moderate risk in pursuit of growth, but will not accept risks that threaten regulatory compliance."
- "We are willing to accept up to R5 million in annual operational losses across all business units."
- "We have zero appetite for safety incidents that result in fatalities."
Risk appetite is forward-looking and strategic. It guides the organisation's overall risk posture and informs how much risk the business is willing to take — and where.
Who Sets Risk Appetite?
Risk appetite is set by the board of directors or governing body, with input from executive management. It is a governance-level decision that reflects the organisation's strategic intent, stakeholder expectations, and capacity to absorb loss.
What Is Risk Tolerance?
Risk tolerance is the specific, measurable boundary of acceptable variation around a particular objective or risk. It translates the broad risk appetite into concrete thresholds that can be monitored and enforced at the operational level.
Risk tolerance answers: "What is the maximum deviation we will accept for this specific risk before we must take action?"
Risk tolerances are always more granular than appetite. They are expressed as measurable limits tied to specific risks, processes, or objectives. For example:
- "System downtime must not exceed 4 hours per quarter."
- "Customer complaint rates must stay below 2% of total transactions."
- "Project cost overruns must not exceed 10% of approved budget."
- "Supplier concentration risk: no single supplier may represent more than 30% of critical inputs."
Tolerances are owned by management and operational teams. They are the practical guardrails that keep day-to-day activity within the boundaries set by the board's risk appetite.
Key Differences Between Risk Appetite and Risk Tolerance
While risk appetite and risk tolerance are related, they differ in scope, ownership, and application. The table below summarises the main distinctions.
| Dimension | Risk Appetite | Risk Tolerance |
|---|---|---|
| Definition | The amount and type of risk the organisation is willing to accept | The acceptable variation around a specific objective or risk |
| Scope | Organisation-wide, strategic | Specific to individual risks, processes, or objectives |
| Set by | Board / governing body | Management / operational teams (within appetite) |
| Expression | Qualitative statements, broad quantitative limits | Specific, measurable thresholds and limits |
| Purpose | Guides strategic direction and overall risk posture | Provides operational boundaries and triggers for action |
| Timeframe | Reviewed annually or when strategy changes | Monitored continuously, reviewed periodically |
| Example | "We accept moderate financial risk for growth" | "Revenue variance must not exceed 15% of forecast" |
How Risk Appetite and Risk Tolerance Work Together
Risk appetite and tolerance operate at different levels but must be aligned. Think of it as a hierarchy:
- Risk appetite sets the overall boundaries — the "big picture" risk posture
- Risk tolerance translates those boundaries into specific, measurable limits for individual risks
- Risk limits (sometimes called risk thresholds) are the most granular level — the point at which escalation or corrective action is triggered
In a well-functioning enterprise risk management programme, the flow looks like this:
- The board defines risk appetite as part of strategic planning
- Management translates appetite into risk tolerances for each major risk category
- Operational teams set specific risk limits and key risk indicators (KRIs) within those tolerances
- Breaches of tolerance are escalated; breaches of appetite are reported to the board
The Thermostat Analogy
Risk appetite is like setting the temperature on a thermostat to 22 degrees Celsius. Risk tolerance is the acceptable range — say 20 to 24 degrees — before the system triggers a response. If the temperature drops below 20 or rises above 24, action is taken. This is how appetite and tolerance work together in practice.
Examples in Practice
Quantitative Examples
| Risk Category | Appetite Statement | Tolerance Threshold |
|---|---|---|
| Financial | We accept moderate financial risk to achieve 12% annual growth | Revenue variance must not exceed ±15% of forecast in any quarter |
| Operational | We accept limited operational disruption | Unplanned downtime must not exceed 8 hours per month per critical system |
| Cybersecurity | We have very low appetite for data breaches | Zero tolerance for breaches involving personal data; patching within 72 hours for critical vulnerabilities |
| Safety | We have zero appetite for fatalities and serious injuries | Lost-time injury frequency rate (LTIFR) must remain below 1.0 |
Qualitative Examples
Not all risk appetite and tolerance statements are numerical. Qualitative approaches are particularly useful for reputational, strategic, and ethical risks:
- Reputation: Appetite: "We will not pursue opportunities that risk significant reputational damage." Tolerance: "Any media coverage involving regulatory sanction must be escalated to the CEO within 2 hours."
- Compliance: Appetite: "We have zero appetite for material regulatory non-compliance." Tolerance: "All regulatory submissions must be filed on time; any late filing is a breach."
- Strategy: Appetite: "We are willing to accept high risk in new market expansion." Tolerance: "No single market entry investment may exceed 20% of annual capital budget."
How to Set Risk Appetite
Setting risk appetite is a governance exercise that requires board involvement. Here is a practical approach:
Step 1: Understand the Context
Review your organisation's strategic objectives, stakeholder expectations, regulatory requirements, and capacity to absorb loss. Risk appetite must reflect reality — not aspiration.
Step 2: Define Risk Categories
Break risk into meaningful categories for your organisation: financial, operational, compliance, strategic, safety, reputational, and so on. Each category may have a different appetite level.
Step 3: Choose Appetite Levels
For each category, define whether the organisation's appetite is:
- Averse — avoid risk wherever possible
- Minimal — accept very low levels of risk
- Cautious — accept low-to-moderate risk with strong controls
- Open — accept moderate risk for potential reward
- Hungry — actively seek higher risk for higher reward
Step 4: Express Appetite Clearly
Write appetite statements that are specific enough to guide decision-making but broad enough to remain relevant over time. Include both qualitative statements and, where possible, quantitative boundaries.
Step 5: Approve and Communicate
The board must formally approve the risk appetite statement. It should then be communicated to all levels of the organisation and used to inform risk assessments, strategy discussions, and investment decisions.
How to Define Tolerance Thresholds
Once risk appetite is set, management defines tolerance thresholds for individual risks. Effective tolerances share these characteristics:
Measurable
Tolerances must be quantifiable or clearly observable. "Keep customer complaints low" is not a tolerance. "Customer complaints must not exceed 50 per month" is.
Linked to Appetite
Every tolerance must fall within the boundaries of the board's appetite. If the board has set low appetite for compliance risk, management cannot set a tolerance that accepts frequent regulatory breaches.
Owned
Each tolerance must have a clear owner — someone responsible for monitoring it and escalating breaches. This is typically a risk owner or process owner aligned to the risk assessment process.
Monitored
Tolerances are only useful if they are actively tracked. Establish key risk indicators (KRIs) and reporting mechanisms to monitor tolerance levels in real time or at regular intervals.
Actionable
Define what happens when a tolerance is breached. Who is notified? What actions are triggered? At what point does a breach escalate to the board?
Warning: Don't Set Tolerances in Isolation
Tolerances set without reference to appetite create a disconnect between what the board thinks is happening and what is actually happening. Always validate tolerance levels against the approved appetite statement.
Common Mistakes
1. Using the Terms Interchangeably
This is the most common mistake. Risk appetite and risk tolerance are different concepts with different owners, scopes, and purposes. Confusing them leads to unclear accountability and poor risk decisions.
2. Setting Appetite Too Vaguely
Statements like "we are risk-averse" provide no practical guidance. Appetite must be specific enough to inform actual decisions — by risk category, with measurable boundaries where possible.
3. Setting Tolerance Without Appetite
Some organisations define operational tolerances without ever establishing a risk appetite. This means the operational limits have no strategic anchor, making it impossible to assess whether they are appropriate.
4. Failing to Review
Risk appetite should be reviewed annually and whenever the organisation's strategy, environment, or capacity changes materially. Tolerance thresholds should be reviewed quarterly or when the risk profile shifts.
5. Not Communicating Appetite
A risk appetite statement that sits in a board pack and is never shared with the organisation adds no value. Appetite must be communicated clearly so that managers and staff can make risk-informed decisions.
6. Ignoring Appetite in Decision-Making
If strategic decisions are made without reference to appetite, the appetite statement is decorative. Every significant decision should ask: "Is this within our appetite?"
King IV and King V Requirements for Risk Appetite
South African organisations governed by the King IV Code and the emerging King V Code have specific obligations regarding risk appetite.
King IV Requirements
King IV (Principle 11) requires the governing body to:
- Approve the organisation's risk appetite and tolerance levels
- Ensure that risk appetite is aligned with strategic objectives
- Monitor that management operates within approved appetite and tolerance boundaries
- Disclose the organisation's risk appetite and key risks in integrated reporting
King V Developments
The King V Code builds on these requirements by emphasising:
- Dynamic risk appetite — reviewing and adjusting appetite as the operating context changes
- Stakeholder-inclusive appetite — considering the risk perspectives of all stakeholders, not just shareholders
- Technology-enabled monitoring — using digital tools and key risk indicators to track appetite breaches in real time
- Integration with combined assurance — linking appetite to the three lines model for independent validation
Compliance Tip
For JSE-listed companies and state-owned entities in South Africa, the King Code applies on an "apply and explain" basis. Organisations must either implement the risk appetite requirements or explain why they have not. Using a structured ERM approach with clearly defined appetite and tolerance is the most straightforward path to compliance.
Summary
- Risk appetite is the broad, strategic statement of how much risk the organisation is willing to accept — set by the board
- Risk tolerance is the specific, measurable boundary for individual risks — set by management within appetite
- They are related but different: appetite is the "what" and tolerance is the "how much"
- Both must be documented, communicated, monitored, and reviewed regularly
- King IV and King V require boards to approve and monitor risk appetite and tolerance
- Common mistakes include using the terms interchangeably, setting vague appetite statements, and failing to communicate appetite across the organisation
- Effective risk management requires appetite and tolerance to work together as part of a connected ERM framework
Frequently Asked Questions
Can an organisation have different risk appetites for different risk categories?
Yes. In fact, most organisations should have different appetites for different risk categories. For example, an organisation may have high appetite for strategic growth risk but zero appetite for safety risk. Expressing appetite by category gives management clearer guidance for decision-making.
How often should risk appetite be reviewed?
Risk appetite should be reviewed at least annually, typically as part of the strategic planning cycle. It should also be reviewed whenever there is a material change in strategy, a significant risk event, a change in regulatory requirements, or a major shift in the external environment.
What is the difference between risk appetite, risk tolerance, and risk capacity?
Risk capacity is the maximum amount of risk an organisation can absorb before it threatens survival. Risk appetite is how much of that capacity the organisation chooses to use. Risk tolerance is the acceptable range for specific risks within that appetite. Think of capacity as the total fuel in the tank, appetite as how much you plan to use, and tolerance as the acceptable fuel-burn range per trip.
Is risk appetite a compliance requirement in South Africa?
The King IV Code, which applies on an "apply and explain" basis, requires the governing body to approve risk appetite and tolerance levels and to monitor that management operates within them. For JSE-listed companies, public entities, and state-owned enterprises, this is a governance expectation. While not legislation, failure to comply requires a public explanation.
How do you measure whether you are operating within risk appetite?
Organisations use key risk indicators (KRIs) mapped to tolerance thresholds. When a KRI approaches or breaches a tolerance level, it signals that the organisation may be moving outside appetite. Regular risk reporting, dashboard monitoring, and escalation protocols provide the mechanism for tracking appetite adherence in practice.
