Risk Appetite vs Risk Tolerance: Definitions and Examples
Risk appetite and risk tolerance are two of the most misused terms in risk management. They’re often treated as synonyms, used interchangeably in board papers and risk frameworks, or defined so vaguely that they provide no practical guidance to anyone actually managing risk on the ground.
Getting them right matters. In high-hazard industries — mining, construction, energy — the difference between risk appetite and risk tolerance isn’t a semantic debate. It’s the difference between a risk framework that guides real decisions and one that sits in a document and does nothing.
Risk Appetite: The Strategic Position
Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives. It’s a strategic statement made at the leadership level — by the board, executive team, or senior management — about the organisation’s overall posture toward risk.
Risk appetite answers the question: What risks are we prepared to take on in order to achieve our goals?
It’s not about eliminating risk. Every organisation in high-hazard industries accepts risk as a condition of operating. A mining company that refused to accept any geological risk would never open a pit. A construction firm that refused to accept any safety risk would never break ground. Risk appetite defines the boundary between risks the organisation is willing to carry and risks it’s not prepared to accept under any circumstances.
Risk appetite statements typically vary by risk category:
Examples of risk appetite statements:
- “We have zero appetite for harm to our people. Fatalities and permanent injuries are not an acceptable cost of doing business.”
- “We have a low appetite for environmental incidents that could result in regulatory sanctions or material harm to ecosystems.”
- “We have a moderate appetite for project cost overruns of up to 10% on major capital works, provided schedule and safety are maintained.”
- “We have a high appetite for operational risk in exploration activities, provided we maintain our social licence and financial position.”
Notice how these statements differ. Safety risk has zero appetite — meaning the organisation will not accept preventable harm as a business cost. Financial risk on exploration has a higher appetite — the organisation accepts that some exploration projects will fail.
Risk appetite is set at the top and cascades down. It shapes the risk criteria used in assessments, the thresholds that trigger escalation, and ultimately the decisions made every day on your sites.
Risk Tolerance: The Operational Boundary
Risk tolerance is the acceptable variation from risk appetite — the practical range within which the organisation will operate before action is required.
If risk appetite is the policy, risk tolerance is the threshold. It translates the strategic statement into measurable, actionable limits that frontline managers and safety teams can actually use.
Risk tolerance answers the question: How much deviation from our target position will we accept before we intervene?
Examples that follow from the appetite statements above:
| Risk Appetite Statement | Risk Tolerance Threshold |
|---|---|
| Zero appetite for harm to people | Zero lost-time injuries per quarter before a mandatory review of critical controls |
| Low appetite for environmental incidents | Maximum 2 tier-1 environmental incidents per year before a formal audit |
| Moderate appetite for cost overruns up to 10% | Project escalation required at 5% overrun; board notification at 8% |
| High appetite for exploration risk | Maximum portfolio exposure of $X before rebalancing is triggered |
Risk tolerance thresholds are what appear in your risk register and risk monitoring dashboards. They’re the numbers that tell someone when to escalate, when to stop work, and when to bring in additional controls.
How Risk Appetite and Risk Tolerance Differ
| Risk Appetite | Risk Tolerance | |
|---|---|---|
| What it defines | The type and amount of risk the organisation will accept | The acceptable variation from that position |
| Who sets it | Board or executive leadership | Senior management with operational input |
| Level of abstraction | Strategic — expressed in qualitative terms | Operational — expressed in measurable thresholds |
| How it’s used | Guides risk culture and major decisions | Drives day-to-day monitoring and escalation |
| Frequency of review | Annually or when strategy changes | Quarterly or as conditions change |
The simplest way to remember the difference: risk appetite is what we’ll accept, risk tolerance is how far we’ll let it go before we act.
Why the Distinction Matters in Practice
In high-hazard industries, blurring these concepts creates real operational problems.
Problem 1: Appetite without tolerance is decoration.
Many organisations publish risk appetite statements — often because the board or a regulator requires them. But without tolerance thresholds, the statements are aspirational at best. “We have zero appetite for harm” means nothing if there’s no threshold that triggers a stop-work, a root cause investigation, or a review of critical controls. The framework exists, but it doesn’t drive behaviour.
Problem 2: Tolerance without appetite is arbitrary.
Setting thresholds without an underlying appetite statement creates inconsistency. Why is the threshold two environmental incidents rather than one or five? Without a coherent appetite statement behind it, thresholds can be set too high (providing false assurance) or too low (generating constant noise that people learn to ignore).
Problem 3: Misapplication under pressure.
When production targets are under pressure, risk appetite gets reinterpreted. “Zero appetite for harm” gets quietly bracketed with “within reason” or “as far as practicable.” Risk tolerance thresholds get treated as targets rather than limits — as long as you’re under the threshold, you’re fine, even if the trend is worsening. Clear definitions and explicit thresholds make this kind of drift harder to justify and easier to detect.
Operational Risk Appetite in Mining and Construction
For operational risk in high-hazard industries, risk appetite almost always falls into a small number of categories:
Safety risk: Most mining and construction operators explicitly state zero or near-zero appetite for fatal and serious harm. This isn’t just an ethical position — it reflects the legal, reputational, and financial consequences of catastrophic safety events. The challenge is that “zero appetite” can’t mean “zero incidents ever,” because incidents do occur. It means the organisation will not knowingly accept risks where the likelihood of serious harm is significant, and will respond to every serious event as if the controls that should have prevented it have failed.
Environmental risk: Typically low appetite, particularly for tier-1 environmental incidents (those that cause material harm or regulatory scrutiny). Environmental performance is increasingly connected to social licence, which is existential for many mining and construction businesses.
Operational and financial risk: More variable. Many operators accept significant financial risk on exploration or capital projects in pursuit of growth, while maintaining tight tolerance on operational costs at producing assets.
Compliance and regulatory risk: Low appetite across the board. The consequences of regulatory breaches — licence suspensions, stop orders, prosecutions — are typically disproportionate to any short-term benefit from non-compliance.
Setting Risk Tolerance Thresholds That Actually Work
The most common mistake in setting risk tolerance thresholds is making them too abstract to be useful. A threshold like “safety performance within acceptable limits” isn’t a threshold — it’s a non-answer.
Effective risk tolerance thresholds have three characteristics:
1. Measurable. You can objectively determine whether you’re inside or outside the threshold. Leading indicators (verification completion rates, near-miss reporting rates, overdue control reviews) are often more useful than lagging indicators (injuries) because they signal trend before harm occurs.
2. Assigned to an owner. Someone is responsible for monitoring the metric and escalating when the threshold is approached or breached. Without ownership, thresholds become theoretical.
3. Connected to a response. Breaching a threshold triggers a defined action — not just a report to management, but a specific investigation, stop-work, or control review. The threshold is only useful if something happens when it’s crossed.
How Risk Appetite and Tolerance Fit into ISO 31000
ISO 31000 treats risk criteria — the benchmarks used to evaluate the significance of risk — as a foundational element of the risk management framework. Risk appetite and risk tolerance are the organisation’s risk criteria made explicit.
ISO 31000 requires that risk criteria be established, reviewed, and updated. It doesn’t prescribe what the criteria should be — that’s an organisational decision — but it does require that they be documented, understood, and applied consistently in risk assessment and evaluation.
In practice, your risk appetite and tolerance statements should inform:
- The risk matrix you use for assessment (what constitutes high, medium, and low risk)
- The escalation pathways in your risk register
- The trigger points for critical control verification and audit
- The reporting thresholds for board and executive review
Connecting Risk Appetite to Your Risk Register
A risk register that isn’t calibrated to risk appetite is just a list. The link between the two should be explicit: risks that exceed your appetite thresholds should be flagged for treatment. Risks that fall within tolerance can be monitored. Risks that fall below tolerance can be accepted.
This calibration is also how you avoid the “all risks are high” trap — where risk registers fill up with high-rated items because assessors are risk-averse, not because the organisation’s actual exposure is uniformly high. If your appetite is moderate for some categories of operational risk, your register should reflect that. Not everything needs to be treated as a crisis.
RiskSight’s risk management software lets you build risk criteria and appetite thresholds directly into your risk register — so every risk is assessed against the same benchmark, escalation happens automatically when thresholds are crossed, and you get a live view of where your operation sits relative to its risk appetite at any point in time.
Start your 30-day free trial — no credit card, no consultants, demo data included so you can explore how it works before committing.
Ready to modernise your risk management?
Start your 30-day free trial. No credit card required.
Start free trial