Distinction between Risk Appetite and Risk Tolerance

A Risk is the effect of an uncertainty to an organization’s objectives and such effect can be a positive or negative deviation from what is expected (praxiom, 2017). In information security management, we analyze risk per the impact a vulnerability will have on the Confidentiality, Integrity, and Accessibility of the information system. However, there is a clear distinction between a firm’s risk appetite and risk tolerance.

                Although both risk appetite and risk tolerance are used interchangeably, they each mean different things. Risk appetite means the amount of risk an organization is willing to accept to meet its objective (Johnson, R., 2015). For instance, a firm with a million-dollar budget must determine the amount it can spend on fortifying its information system and secure its infrastructure. Essentially, a firm's risk appetite is the point where the impact of the risk to frequency is at the minimal. However, a risk tolerance allows a firm to set the minimum acceptable risk level.