The IT Law Wiki


Risk tolerance (or risk threshold) is

[t]he level of risk an entity is willing to assume in order to achieve a potential desired result."[1]
[t]he criteria against which stakeholders evaluate a risk. Different risk tolerances may be defined for each risk, risk category, or combination of risks. Exceeding a risk threshold is a condition that triggers some action.[2]
[t]he organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives.[3]
[t]he defined impacts to an enterprise's information systems that an entity is willing to accept.[4]


"Risk tolerance affects all components of the risk management process — having a direct impact on the risk management decisions made by senior leaders/executives throughout the organization and providing important constraints on those decisions."[5]

"Risk tolerance can be influenced by legal or regulatory requirements."[6]