A threshold of risk an entity is willing to assume in order to achieve a potential desired result. Tolerance measures the organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives. Note that risk tolerance can be influenced by legal or regulatory requirements. In this Framework, we use this term with the assumption that risk tolerances can be defined with sufficient precision to be translated into actionable metrics. Note: Risk tolerance can be influenced by legal or regulatory requirements.
Retrieved and adapted from CNSSI 4009-2015, NIST SP 800-160 [Superseded], NIST SP 800-32 under Risk Tolerance, NIST SP 800-137 and NISTIR 8183 under Risk Tolerance under Risk Tolerance (2018). https://csrc.nist.gov/glossary/term/risk-tolerance