« Upcoming Talks and Training | Main | Berkshire Hathaway Annual Meeting 2013 Notes »



Risk Appetite and Risk Tolerance are also often confused for each other.

A difference between the corporate risk appetite and a business unit or project risk tolerance can lead to a serious mismatch in the perception of the risk carried by an organisation. I have seen this several times in Infosec.

The risk acceptance/treatment behaviors can mean also the common corporate 'language' of risk ends up with different meanings which can catch you out if you take assessments at face value. One groups low residual risk system is another persons high residual risk system, often with both parties unaware of the mismatch.

The comments to this entry are closed.