The table above summarizes the diverse definitions of risk terms. The following diagram depicts the concept of risk acceptability and tolerability and proposes using risk terms largely aligned with the definitions mentioned in the above table.
- Risk Exposure is the potential loss presented to an individual, project, or organization by a risk. (ISO 16085:2006)
- Risk Tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. (ISACA, 2019)
- Risk Threshold is the level of risk exposure above which risks are addressed and below which risks may be accepted. (PMBOK Guide — Sixth Edition)
- Risk Treatment is the process to eliminate risk or reduce it to a tolerable level. (ISO 15026-3:2015)
- Risk Appetite is the amount and type of risk that an organization is willing to pursue or retain. (ISO/Guide 73:2009)
- Risk Capacity refers to the maximum amount of risk that an organization is able to endure.
The following diagram was released earlier in 2022:
The following diagram was released earlier in 2019:
The following is an excerpt from the CISM Review Manual, 15th Edition:
1.2.2 DETERMINING RISK CAPACITY AND ACCEPTABLE RISK (RISK APPETITE)
Every organization has a particular risk capacity, defined as the objective amount of loss an enterprise can tolerate without its continued existence being called into question. Subject to the absolute maximum imposed by this risk capacity, the owners or board of directors of an organization set the risk appetite for the organization. Risk appetite is defined as the amount of risk, on a broad basis, that an entity is willing to accept in pursuit of its
mission. In some cases, setting the risk appetite may be delegated by the board of directors to senior management as part of strategic planning.
Acceptable risk determination or risk appetite and the criteria by which it can be assessed is an essential element for virtually all aspects of information security as well as most other aspects of organizational activities. It will determine many aspects of strategy including control objectives, control implementation, baseline security, cost-benefit calculations, risk management options, severity criteria determinations, required incident response capabilities, insurance requirements and feasibility assessments, among others.
Risk appetite is translated into a number of standards and policies to contain the risk level within the boundaries set by the risk appetite. These boundaries need to be regularly adjusted or confirmed. Within these boundaries, risk may be accepted, a formal and explicit process that affirms that the risk requires and warrants no additional response by the organization as long as it and the risk environment stay substantially the same and accountability for the risk is assigned to a specific owner.
Risk acceptance generally should not exceed the risk appetite of the organization, but it must not exceed the risk capacity (which would threaten the continued existence of the organization). Risk tolerance levels are deviations from risk appetite, which are not desirable but are known to be sufficiently below the risk capacity that acceptance of risk is still possible when there is compelling business need and other options are too costly. Risk tolerance may be defined using IT process metrics or adherence to defined IT procedures and policies, which are a translation of the IT goals that need to be achieved. Like risk appetite, risk tolerance is defined at the enterprise level and reflected in the policies created by senior management. Exceptions can be tolerated at lower levels of the enterprise as long as the overall exposure does not exceed the risk appetite at the enterprise level.Source: CISM Review Manual 15th edition
The following diagram is my attempt to summarize the excerpt above: