# Risk Appetite, Tolerance, Capacity One-sentence definition: Appetite = the amount/types of risk the organization is willing to pursue; tolerance = acceptable variation around objectives; capacity = maximum risk the org can absorb. ## Key Facts - Appetite set by leadership/board; guides risk-based decisions. - Tolerance is operational limits (e.g., ≤ 4 hours outage per month). - Capacity reflects financial/operational resilience to loss. - Link metrics to KRIs; escalate when crossing thresholds. - Align control selection and exceptions with appetite/tolerance. - Document in policy/charters; review periodically. - **Label:** **Boundary-setting** for risk-taking. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose actions aligned to appetite; identify out-of-tolerance conditions. **Mnemonic:** “Appetite (want), Tolerance (wiggle), Capacity (ceiling).” ## Mini Scenario Q: If outage tolerance is 2 hours but planned change risks 6 hours, what’s required? A: Risk escalation/exception and mitigation plan or reschedule. ## Revision Checklist - Define all three succinctly. - Provide one metric example for tolerance. - State who sets appetite. ## Related [[Security Governance]] · [[Risk Management Lifecycle]] · [[Security Metrics, KPIs, KRIs]] · [[Risk Register and Reporting]] · [[Compliance and Regulatory Concepts]] · [[Domain 1 - Index]]