The linked documents below discuss various aspects of risk appetite and risk tolerance levels and how they can be leveraged to strengthen the necessary cross-functional bridges between strategy and performance.


COSO Enterprise Risk Management Integrating with Strategy and Performance (June 2017)

FRAMEWORK COMPONENT 2. Strategy and Objective-Setting:


  • Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk

  • PRINCIPLE 7. Defines Risk Appetite:

    • The organization defines risk appetite in the context of creating, preserving, and realizing value.



The types and amounts of risk, on a broad level, an organization is willing to accept in the pursuit of value.


The boundaries of acceptable variation in performance related to achieving business objectives.


COSO Enterprise Risk Management – Understanding and Communicating Risk Appetite (Free PDF Download)

This thought leadership document is one of a series of papers, sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), to help organizations implement enterprise risk management (ERM). The COSO document Enterprise Risk Management — Integrated Framework explicitly states that organizations must embrace risk in pursuing their goals. The key is to understand how much risk they are willing to accept. Further, how should an organization decide how much risk it is willing to accept? To what extent should the risks accepted mirror stakeholders’ objectives and attitudes towards risk? How does an organization ensure that its units are operating within bounds that represent the organization’s appetite for specific kinds of risk?

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

RIMS Executive Report - The Risk Perspective - Exploring Risk Appetite and Risk Tolerance (Free PDF Download)


Risk appetite is the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.


Risk tolerance is the amount of uncertainty an organization is prepared to accept in total or more narrowly within a certain business unit, a particular risk category or for a specific initiative.

This RIMS report includes definitions of risk appetite and risk tolerance from six other organisations including ISO, KPMG, and Towers Perrin.

The Institute of Risk Management (IRM) - Risk Appetite and Tolerance Executive Summary  (Free PDF Download)


It is our view, risk appetite, correctly defined, approached and implemented, should be a fundamental business concept that could make a substantial difference to how businesses and organizations are run.