New White Paper from ISACA Delves into Risk Tolerance

Schaumburg, IL, USA (Oct. 25, 2022) — The first step to  addressing the myriad types of risk that need to be managed in an organization  is understanding risk appetite and tolerance. ISACA has released two new  resources that offer guidance in both areas: the Using Risk Tolerance to Support Enterprise  Strategy white paper and Risk Scenarios Toolkit.    

The Using Risk Tolerance to Support Enterprise Strategy white paper examines the  definitions of risk appetite, risk tolerance and risk capacity, not only for  risk practitioners but also for management. It contrasts risk appetite against risk  tolerance and explores the range of tolerance and the use of tolerance limits  and triggers. It also offers guidance on how to establish a risk tolerance  framework and use risk tolerance measures to make decisions, as well as how to  track, report and control risk tolerance.

The  publication outlines several key benefits of risk tolerance, including:

Provides structure to the conversation and communicating explicitly what is acceptable.

Increases transparency of the risk management process, enabling stakeholders to better understand the  enterprise’s risk position.

Helps boards of directors articulate appropriate levels of risk tolerance.

Supports the communication of risk that matters the most to the enterprise as it pursues its  strategic objectives.

“Many use risk-related  terms interchangeably, which can lead to confusion among stakeholders and  inconsistent implementation of risk management efforts,” says Paul Phillips, ISACA  Director of Event Content Development. “It is important that risk  practitioners, boards of directors, and managers are all on the same page  regarding risk tolerance, risk appetite and risk capacity so they are able to make  informed decisions on balancing risk with meeting business objectives while each  effectively play their vital roles in risk management.”

Understanding risk  tolerance is critical to practitioner risk management efforts. ISACA’s Risk  Scenarios Toolkit offers a resource with 87 sample risk scenario templates  that can assist in providing organizational engagement, analysis and structure  to information and technology (I&T) risk. The templates, which are provided  in Word documents that users can adapt to their unique needs, cover categories  of risk, attributes needed to assess and respond to risk, the extent or scale,  controls related to risk, and key risk indicators.

Some of these risk  scenarios outlined in the toolkit include critical application software  malfunctions, undocumented enterprise architecture, malicious insider,  inadequate master data management, and pandemic outbreak.

“Detailed risk scenarios  can serve to consolidate and structure important information used to  communicate in the risk management process among different stakeholders and  align plans with business goals,” says Lisa Young, senior metrics engineer,  Netflix, and one of the lead developers for the Risk Scenarios Toolkit. “They  can be a valuable tool in helping people involved across different teams and  levels of leadership understand specific risk and potential business impacts.

The Risk Scenarios  Toolkit is US$49 for ISACA members and US$79 for non-members and can be  accessed at The Using Risk  Tolerance to Support Enterprise Strategy white paper is free for  ISACA members and is available at

ISACA also offers additional risk resources, including the Risk Starter Kit, Risk IT Framework, and Risk IT Practitioner Guide at


ISACA® ( is a global community advancing individuals and  organizations in their pursuit of digital trust. For more than 50 years, ISACA  has equipped individuals and enterprises with the knowledge, credentials,  education, training and community to progress their careers, transform their  organizations, and build a more trusted and ethical digital world. ISACA is a  global professional association and learning organization that leverages the  expertise of its more than 165,000 members who work in digital trust fields  such as information security, governance, assurance, risk, privacy and quality.  It has a presence in 188 countries, including 225 chapters worldwide. Through  its foundation One In Tech, ISACA supports IT education and career pathways for  underresourced and underrepresented populations.