# Risk Appetite and Tolerance Backlink: [[Domain 1 - Index]] **Definition:** Appetite is the broad level of risk an organization is willing to pursue; tolerance is the acceptable variation around objectives. ## Key Facts - Appetite set by leadership; expressed qualitatively or via KRIs. - Tolerance sets thresholds/limits per metric or process. - Guides acceptance decisions and exception approvals. - Documented in policy; revisit after incidents/strategy shifts. - Cascades via risk limits and dashboards. - **Verify:** check official (ISC)² CBK and current exam outline. >[!tip] **Exam Relevance** - Choose acceptance vs. mitigation based on appetite - Interpret KRI thresholds and escalation >[!note] **Mnemonic** - “Appetite = Ambition; Tolerance = Threshold.” ### Example Q: KRI exceeds red threshold. Action? A: Escalate and initiate treatment per playbook. ## Revision Checklist - [ ] Define appetite vs. tolerance - [ ] Provide 2 KRI examples with thresholds - [ ] Explain governance/approval - [ ] Tie to exceptions and residual risk ## Related [[Risk Management Process]] · [[Security Metrics, KPIs, and KRIs]] · [[Policy Exception and Exception Management]] · [[Risk Response Strategies]] · [[Security Governance]] #cisSP #domain-1 #concept