Aligning Risk Appetite, Tolerance, and Thresholds with Business Planning: A Comprehensive Guide to Enterprise Risk Management

By   Dr. Muhammad Malik
InfoSec Leader & Editor-in-Chief , Information Security Buzz | Jul 23, 2023 01:24 am PST

Executive Summary

In today’s complex and volatile business environment, Enterprise Risk Management (ERM) has become a strategic imperative. This article provides a comprehensive guide to aligning risk appetite, tolerance, and thresholds with strategic, operational, and tactical business planning activities. It delves into key risk concepts, explores the nuances of risk tolerance, threshold, and appetite, and provides practical examples of risk management in action.


Enterprise Risk Management (ERM) is a strategic business practice that involves identifying potential risks in a business and making decisions about how to manage and mitigate those risks. It is a holistic approach that considers all risks collectively, allowing management to understand the interrelationships among these risks and manage them more effectively.

Key Risk Concepts

Risk Thresholds

Risk thresholds are the specific levels of risk that an organization is willing to accept. For example, a pharmaceutical company developing a new drug might set a risk threshold related to the failure rate of the drug in clinical trials. If more than 5% of trial participants experience severe side effects, the company might decide that this exceeds their risk threshold. This would trigger a review of the drug formula and could lead to additional research and development to reduce the side effects.

Operational Risk

Operational risk refers to the potential for loss resulting from inadequate or failed internal processes, people, and systems, or from external events. A practical example of operational risk could be an online retailer that relies heavily on its website for sales. If a technical glitch causes the website to go down for several hours during a peak shopping period, this could result in significant lost sales and damage to the company’s reputation. This is an operational risk resulting from a failure of the company’s IT systems.

Baselining Risk Management Terminology

In risk management, it’s essential to have a common language. For example, risks and threats are two terms that are often used interchangeably but have different meanings in the context of risk management.

  • Risks refer to the potential for an event to occur that will have an impact on the achievement of objectives. For instance, a tech startup developing a new app might identify a risk that their new product could be delayed due to potential difficulties in the development process.
  • Threats, on the other hand, are events or conditions that may harm an organization. In the context of the tech startup, a threat could be a competing company that is developing a similar app. If the competitor launches their app before the startup, they could capture a significant portion of the market, making it harder for the startup to achieve its business objectives.

Risk Tolerance, Threshold, and Appetite

Risk Appetite

Risk appetite is the amount of risk an organization is willing to accept in pursuit of its objectives. It’s a high-level view of how much risk management and the board are willing to accept. An organization’s risk appetite guides its risk management strategy and influences its risk culture.

Risk Tolerance

Risk tolerance, on the other hand, is the specific level of variance an organization is willing to withstand around its business objectives. It’s a more detailed view of the amount of risk an organization is willing to accept. Risk tolerance levels are typically set by management and provide a guideline for operational decision-making.

Risk Threshold

Risk thresholds are the levels of risk exposure which, when exceeded, give rise to management action. They provide a clear line in the sand that helps organizations decide when action needs to be taken to mitigate risk. Risk thresholds are typically set in relation to the organization’s risk tolerance and appetite.

Practical Risk Management Example

Consider a tech company, TechX, planning to launch a new product – a cutting-edge smartphone. The strategic goal is to increase market share in the competitive smartphone market.


At the strategic level, TechX’s goal is to capture a significant market share in the smartphone industry. The risks involved at this level could include market acceptance of the new product, competition from established players, and potential regulatory issues. The company’s risk appetite at this level would be set by the board and senior management, taking into consideration the potential rewards of successfully launching the product.

Operational Plan

The operational plan to achieve this strategic goal might involve a series of marketing campaigns to create awareness and demand, increasing production capacity to meet the anticipated demand, and forging distribution agreements with key retailers and online platforms.

Operational risks could include the failure of marketing campaigns, production issues such as delays or quality problems, and potential issues with distribution partners. The company’s risk tolerance at this level would guide how these risks are managed. For example, TechX might decide to accept the risk of a marketing campaign not being as successful as anticipated, but not tolerate any risks related to product quality.


At the tactical level, specific actions are taken to support the operational plan. This might include creating engaging content for social media advertising, hiring additional staff to ramp up production, and negotiating contracts with distributors.

Tactical risks could include the social media content not engaging the target audience, difficulties in hiring or training new staff, and potential contractual issues with distributors. The company’s risk thresholds would come into play here, indicating when a risk has reached a level where immediate action is needed. For example, if a social media campaign is not generating the expected level of engagement, this might trigger a review and adjustment of the campaign.

In each of these stages, the company’s risk appetite, tolerance, and thresholds guide decision-making and action. By aligning these elements with their strategic, operational, and tactical planning, TechX can effectively manage the risks associated with launching a new product, increasing their chances of achieving their strategic goal.


Aligning risk appetite, tolerance, and thresholds with business planning is a critical aspect of effective ERM. By understanding and applying these concepts, organizations can better manage their risks and achieve their business objectives. This white paper has provided a comprehensive guide to these concepts and their application in the context of ERM. It is hoped that it will serve as a valuable resource for organizations seeking to enhance their risk management practices and align them more closely with their strategic, operational, and tactical business planning activities.

Presentation: Article Summarization

Download the presentation summarizing the article.