---
type: "term"
title: "Risk Appetite / Risk Tolerance"
description: "Risk Appetite: The level and type of cyber risk an organization is willing to accept in pursuit of its objectives."
resource: "tlctc:term:risk-appetite-risk-tolerance"
tags:
  - "glossary"
---
# Risk Appetite / Risk Tolerance

**Risk Appetite:** The level and type of cyber risk an organization is willing to accept in pursuit of its objectives. **Risk Tolerance:** The acceptable deviation from the defined risk appetite. In TLCTC: risk appetite and tolerance should be defined per threat cluster, enabling differentiated risk treatment. For example, an organization may have zero tolerance for `#10 Supply Chain` risks in critical infrastructure but moderate tolerance for `#6 Flooding` risks with adequate DDoS mitigation in place. Risk appetite is a Strategic Management Layer concern that informs operational priorities.

**Reference:** V1.9.1 §Strategic Management Layer

See also: Strategic Management Layer, GOVERN (GV)