New White Paper from ISACA Delves into Risk Tolerance
Posted: Tuesday, Nov 01

i 3 Table of Contents

New White Paper from ISACA Delves into Risk Tolerance
From KBI

Sydney, Australia (1 November 2022) – The first step to addressing the myriad types of risk that need to be managed in an organisation is understanding risk appetite and tolerance. ISACA has released two new resources that offer guidance in both areas: the Using Risk Tolerance to Support Enterprise Strategy white paper and Risk Scenarios Toolkit.


The Using Risk Tolerance to Support Enterprise Strategy white paper examines the definitions of risk appetite, risk tolerance and risk capacity, not only for risk practitioners but also for management. It contrasts risk appetite against risk tolerance and explores the range of tolerance and the use of tolerance limits and triggers. It also offers guidance on how to establish a risk tolerance framework and use risk tolerance measures to make decisions, as well as how to track, report and control risk tolerance.


The publication outlines several key benefits of risk tolerance, including:

  • Provides structure to the conversation and communicating explicitly what is acceptable.
  • Increases transparency of the risk management process, enabling stakeholders to better understand the enterprise’s risk position.
  • Helps board of directors articulate appropriate levels of risk tolerance.
  • Supports the communication of risk that matters the most to the enterprise as it pursues its strategic objectives.


“Many use risk-related terms interchangeably, which can lead to confusion among stakeholders and inconsistent implementation of risk management efforts,” says Paul Phillips, ISACA Director of Event Content Development. “It is important that risk practitioners, boards of directors, and managers are all on the same page regarding risk tolerance, risk appetite and risk capacity so they are able to make informed decisions on balancing risk with meeting business objectives while each effectively play their vital roles in risk management.”


Understanding risk tolerance is critical to practitioner risk management efforts. ISACA’s Risk Scenarios Toolkit offers a resource with 87 sample risk scenario templates that can assist in providing organisational engagement, analysis and structure to information and technology (I&T) risk. The templates, which are provided in Word documents that users can adapt to their unique needs, cover categories of risk, attributes needed to assess and respond to risk, the extent or scale, controls related to risk, and key risk indicators.


Some of these risk scenarios outlined in the toolkit include critical application software malfunctions, undocumented enterprise architecture, malicious insider, inadequate master data management, and pandemic outbreak.


“Detailed risk scenarios can serve to consolidate and structure important information used to communicate in the risk management process among different stakeholders and align plans with business goals,” says Lisa Young, senior metrics engineer, Netflix, and one of the lead developers for the Risk Scenarios Toolkit. “They can be a valuable tool in helping people involved across different teams and levels of leadership understand specific risk and potential business impacts.


The Risk Scenarios Toolkit is US$49 for ISACA members and US$79 for non-members and can be accessed at The Using Risk Tolerance to Support Enterprise Strategy white paper is free for ISACA members and is available at


ISACA also offers additional risk resources, including the Risk Starter Kit, Risk IT Framework, and Risk IT Practitioner Guide at






ISACA® ( is a global community advancing individuals and organisations in their pursuit of digital trust. For more than 50 years, ISACA has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organisations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organisation that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide. Through its foundation One In Tech, ISACA supports IT education and career pathways for under-resourced and underrepresented populations.



Karen Keech,, 0411 052 408

The Production Team
The KBI Production Team is a staff of specialist technology professionals with a detailed understanding across much of cybersecurity and emerging technology. With many decades of collective industry experience, as well as expertise in marketing & communications, we bring news and analysis of the cybersecurity industry.
Share This