What is Risk Tolerance?

Why your organisation’s comfort zone might be holding you back (or putting you at risk)

Have you ever approved something risky without thinking it through? Or blocked a great idea because it just felt uncomfortable?

That feeling – that gut reaction – is usually tied to risk tolerance. And while it’s often invisible, it plays a major role in how decisions get made (and how risks sneak through the cracks).

So, what is risk tolerance?

Risk tolerance is your organisation’s true boundaries

Put simply, risk tolerance is how much risk your organisation is prepared to accept in pursuit of its goals.

It’s your comfort zone. But here’s the problem: most organisations have never actually defined it.

They talk about being ‘risk averse’ or ‘willing to take calculated risks’ – but when you look closely, you’ll find:

• No clear documentation

• No consistency across teams

• No link between risk tolerance and control performance

That’s where the cracks begin to show.

Why risk tolerance matters

Risk tolerance isn’t about being cautious or brave. It’s about being clear and consistent. When people know the boundaries, they stop guessing. They stop wasting time. They start making better decisions.

Organisations with a clearly defined risk tolerance:

• Spend less time in meetings trying to reach consensus

• Avoid knee-jerk reactions and overcorrections

• Design better control frameworks

• Reduce the risk of major incidents or reputational damage

When you don’t define your risk tolerance, decisions default to whoever is the loudest or most senior in the room. And that’s not risk management – that’s luck.

Risk appetite vs risk tolerance – what’s the difference?

These terms are often used interchangeably, but they serve different purposes:

• Risk appetite is your big-picture ambition. It’s the amount of risk you’re willing to pursue to achieve your objectives.

• Risk tolerance is more specific. It’s the amount of variation you’re willing to accept before you say “this is too far”.

Think of it like this:

This is where clarity changes everything.

What does risk tolerance look like in practice?

Here are some everyday examples:

• A community housing provider may tolerate maintenance delays – but never missed safety checks on smoke alarms.

• A civil contractor might accept last-minute client scope changes – but never risk work near overhead powerlines without permits and spotters.

• A small business may feel okay trialling new payment systems – but not if it exposes customer data to privacy breaches.

It’s not about being fearless. It’s about being focused.

Defining your risk tolerance: where to start

You don’t need to over-engineer it. You just need to get started:

• Write down what you’re not willing to tolerate (Injury? Financial loss? Public complaints? Legal action?)

• Get honest about trade-offs Are you cutting corners anywhere? Are any of your controls based on luck?

• Use scenarios to test your boundaries “Would we accept this risk if it helped us grow?” “Would we accept this risk if resources were tight?”

• Document the answers Use plain language, not corporate spin. Make it clear for everyone.

• Link it to your controls Your risk tolerance should directly inform your critical controls and the way you verify them.

Where do you document risk tolerance?

Risk tolerance should be clearly articulated in the following core documents:

1. Your Risk Management Framework (RMF)

This is your top-level governance document that outlines how you manage risk across your organisation. Include a dedicated section for:

• Definitions of risk appetite and tolerance

• Your approach to setting boundaries (by risk type, business unit, etc.)

• Escalation thresholds (e.g. “All risks exceeding tolerance must be reviewed by the Executive Team”)

2. Your Risk Register

Your risk register shouldn’t just list risks and ratings. It should include a field or reference for each risk’s tolerance threshold – a clear indicator of whether the residual risk is:

• Below tolerance (acceptable)

• Within tolerance (acceptable with monitoring)

• Above tolerance (unacceptable – action required)

This helps frontline leaders quickly see whether the current controls are enough.

3. Board or Executive Risk Reports

When reporting risks, don’t just show red-amber-green heat maps. Include:

• A summary of which risks are exceeding tolerance

• What that means in real terms

• What decisions or resources are needed to bring them back within tolerance

4. Control Performance Standards (for critical controls)

Controls that manage risks outside tolerance need to be clearly defined and closely monitored. Your performance standards should include:

• The risk(s) the control addresses

• The organisation’s tolerance level for that risk

• The consequences of failure

This links your operational controls directly back to your strategic risk tolerance.

How do you articulate risk tolerance?

Here’s a tip: don’t overcomplicate it. Your risk tolerance statements should be:

• Clear

• Measurable

• Consistent with your values and legal duties

Use this format to express your risk tolerance by category:

Health and Safety

Financial

Reputational

Compliance

Bonus Tip: Use Traffic Light Triggers

For each risk, define a traffic light system in your risk register:

• Green – within tolerance, no action needed

• Amber – approaching tolerance, monitor closely

• Red – outside tolerance, escalate immediately

This provides clear guidance for operational decision-making, especially for frontline managers or site leads.

Final Word

Your risk tolerance shouldn't live in someone’s head – or get redefined every time leadership changes.

It should be embedded, visible, and actionable.

If you'd like help writing your risk tolerance statements or reviewing your risk register layout, I’d be happy to guide you through it or provide a custom template that aligns with your risk framework.

What is Risk Tolerance?