risk tolerance [English]

Other Languages

Syndetic Relationships

General Notes

An organization may tolerate risks if the impact of potential risks is less than the costs to prevent them.


  • CNSS-4009 (†730 p.62): The defined impacts to an enterprise’s information systems that an entity is willing to accept. (†1749)
  • ISACA Glossary (†743 s.v.risk tolerance): The acceptable level of variation that management is willing to allow for any particular risk as the enterprise  pursues its objectives. (†1809)
  • NIST Managing Information Security Risk 2011 (†484 p. 14 ): Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the organizational risk frame. Risk tolerance affects all components of the risk management process – having a direct impact on the risk management decisions made by senior leaders/executives throughout the organization and providing important constraints on those decisions. For example, risk tolerance affects the nature and extent of risk management oversight implemented in organizations, the extent and rigor of risk assessments performed, and the content of organizational strategies for responding to risk. With regard to risk assessments, more risk-tolerant organizations may be concerned only with those threats that peer organizations have experienced while less risk-tolerant organizations may expand the list to include those threats that are theoretically possible, but which have not been observed in operational environments. (†733)