Risk Appetite vs Risk Tolerance: 3 Decision Lines
Define risk appetite, tolerance, acceptance, and criteria so EHS leaders can stop vague risk language from approving serious exposure in field decisions.
Key takeaways
- 01Define risk appetite as the leadership position on what safety exposure the organization is willing to pursue, retain, reduce, or avoid.
- 02Separate tolerance from appetite by writing measurable thresholds, time limits, escalation triggers, and evidence requirements before work begins.
- 03Escalate any SIF-related deviation when critical controls are missing, unverified, bypassed, overdue, or owned by the deadline holder.
- 04Connect risk criteria, tolerance, and acceptance authority so the matrix does not become a quiet permission system for serious exposure.
- 05Request Andreza Araújo’s safety risk governance diagnostic when your leadership team needs risk language that changes decisions, not paperwork.
Risk appetite is the amount and type of occupational safety risk an organization is willing to pursue or retain, while risk tolerance is the allowed deviation from that position. In safety management, the distinction matters because SIF exposure, legal duties, and control authority cannot be managed by vague acceptance language.
What does risk appetite mean in safety?
Risk appetite in safety is the board or senior leadership position on what exposure the organization is prepared to pursue, retain, reduce, or avoid before work begins. ISO 31000:2018 specifies that risk management should be integrated into governance and decision making, which means appetite must guide priorities rather than sit as a sentence in a policy.
In practical terms, a company may have low appetite for fatality exposure, moderate appetite for temporary operational disruption, and higher appetite for controlled innovation in safer equipment design. The trap is declaring low appetite for harm while approving repeated exceptions in safety risk acceptance authority without evidence that controls actually work.
As Andreza Araújo argues in Safety Culture: From Theory to Practice, culture appears in repeated decisions. A leadership team that says people come first but accepts the same high-risk workaround for 90 days has expressed its real appetite through behavior, not through values language.
How is risk tolerance different from appetite?
Risk tolerance is the measurable range of variation the organization will permit around its stated appetite, usually expressed through limits, triggers, thresholds, or escalation rules. If appetite says the company will not normalize uncontrolled SIF exposure, tolerance defines what deviation forces escalation within 24 hours, 7 days, or the next shift.
For example, a site may state zero appetite for running a critical machine without an interlocked guard. Its tolerance may allow a locked-out maintenance diagnostic for 2 hours under permit, supervision, and engineering approval, but not a production restart with the guard bypassed. That difference is where safety language becomes operational.
HSE explains that employers are not expected to eliminate every risk, but they must do everything reasonably practicable to protect people from harm. In safety governance, tolerance is dangerous when it becomes a quiet permission to live with preventable exposure because the schedule is tight.
3 decision lines that separate appetite from tolerance
The clearest way to separate appetite from tolerance is to define 3 decision lines: strategic intent, legal duty, and escalation authority. Each line answers a different question, which prevents leaders from treating risk appetite, risk tolerance, and residual risk acceptance as interchangeable labels.
- Strategic intent
- Appetite states what level of safety risk the organization is willing to carry in pursuit of its objectives, such as expansion, production continuity, or contractor mobilization.
- Legal duty
- Tolerance cannot override legal obligations under occupational safety law, ISO 45001 commitments, permit conditions, or local regulator expectations.
- Escalation authority
- Residual exposure above a defined threshold must move to a leader who can pause work, fund controls, verify critical controls, or redesign the task.
Across 25+ years leading EHS at multinationals, Andreza Araújo has observed that the third line is often the weakest. Companies debate risk wording in committees, yet field teams still lack proof that the barrier, alarm, isolation, guard, or supervision routine will hold during real work.
When does tolerance become unsafe risk acceptance?
Tolerance becomes unsafe risk acceptance when deviation from the stated appetite continues without a named owner, evidence file, expiration date, or escalation path. The warning sign is not one exception; it is the same exception appearing across permits, management of change records, near misses, and audit findings for 30, 60, or 90 days.
EU-OSHA describes risk assessment as a dynamic process that should account for relevant risks, check adopted safety measures, document outcomes, and review the assessment regularly. A tolerance threshold that is not reviewed after a near miss has stopped functioning as governance.
This is where the risk matrix can hide fatal exposure. A low-likelihood, high-consequence task may sit inside an apparently acceptable band, although the credible outcome is a serious injury or fatality. Andreza Araújo’s Portuguese title A Ilusão da Conformidade, "The Illusion of Compliance", challenges exactly this pattern: paperwork can look complete while the operating risk remains unchanged.
How should EHS managers use the 2 terms?
EHS managers should use appetite for governance direction and tolerance for operational thresholds, then connect both to risk criteria, critical control verification, and residual risk acceptance authority. The practical test is whether a supervisor can tell, before work starts, which deviations are allowed, which require escalation, and which stop the job immediately.
A workable rule is to define 3 lines on one page. First, list exposures with no appetite, such as uncontrolled SIF scenarios. Second, list tolerable deviations with limits, evidence, and time windows. Third, name the authority level for accepting residual risk after controls have been verified.
ILO guidance on controlling risks places prevention policy, risk control, and worker protection inside the OSH management system. That is the better lens for EHS leaders: appetite and tolerance should direct control decisions, not decorate the risk register.
In more than 250 cultural transformation projects supported by Andreza Araújo's team, the strongest organizations make this distinction visible during planning meetings, permit reviews, and executive risk reviews. They do not ask only whether risk is red, amber, or green. They ask who has authority to accept the remaining exposure, which controls have been verified, and when the deviation expires.
Risk appetite vs risk tolerance in practice
Risk appetite and risk tolerance become useful when they change everyday decisions. The comparison below gives EHS managers a simple way to translate the terms into field governance.
| Concept | Decision question | Safety example | Common failure |
|---|---|---|---|
| Risk appetite | What exposure are we willing to pursue or retain? | No appetite for uncontrolled SIF exposure during production. | Stating a value that leaders do not enforce. |
| Risk tolerance | What deviation is allowed before escalation? | Temporary deviation allowed for 1 shift with permit, engineering approval, and verified controls. | Letting a temporary exception become normal work. |
| Risk acceptance | Who may approve the remaining exposure? | Site leader accepts residual risk only after EHS and engineering challenge. | Allowing the deadline owner to approve the exception. |
| Risk criteria | How do we judge significance? | Severity, likelihood, legal duty, SIF potential, and control reliability. | Reducing judgment to a color in the matrix. |
The next useful move is to compare these terms with ALARP decisions, especially where leaders claim that more control is not reasonably practicable. When the company cannot explain the rejected controls, the residual exposure, and the escalation owner, it has not defined tolerance. It has only documented a risk it is still carrying.
Frequently asked questions
What is the difference between risk appetite and risk tolerance?
Can a company have tolerance for fatality risk?
How does ISO 31000 relate to risk appetite?
How is risk tolerance different from ALARP?
Where should an EHS manager start with risk appetite?
About the author
Andreza Araújo
Safety Culture Expert | Senior EHS Executive
Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.
- Civil & Safety Engineer (Unicamp)
- M.A. Environmental Diplomacy (University of Geneva)
- Sustainability Cert (IMD Switzerland)
- People Management & Coaching (Ohio University)
- UN Paris speaker representative for Brazil
- ILO Turin speaker
- LinkedIn Top Voice
- Indra Nooyi PepsiCo CEO recognition (2x)
Documentaries
Watch Andreza's documentaries
Three productions on safety culture, organizational failure and the human lessons behind major disasters.
Podcasts
Listen to Andreza's podcasts
She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.
