GRCWatch
Sign inStart free trial

ID.RM-2: Define and Express Your Organization's Risk Tolerance

Risk tolerance—the level of risk your organization is willing to accept—must be clearly documented and communicated across leadership and security teams. Without explicit risk tolerance statements, security investments become misaligned with business strategy, leaving organizations either over-protected or dangerously exposed. NIST CSF control ID.RM-2 requires you to establish and articulate this tolerance to guide all downstream risk decisions.

What this means

Risk tolerance definition means your organization has formally determined the types and levels of risk it will accept in pursuit of business objectives. This isn't a single number—it's a set of statements that reflect your appetite for different risk categories: operational disruption, data loss, regulatory violation, reputational damage, and financial impact. These tolerance statements become the baseline against which all risk assessments are measured, ensuring consistent decision-making from board level down to individual security projects.

How to comply

  1. 1.Convene cross-functional stakeholders (CFO, legal, operations, security, board) to discuss organizational objectives and constraints.
  2. 2.Document acceptable risk thresholds for each material risk category: availability, confidentiality, integrity, compliance, and financial impact.
  3. 3.Define quantitative ranges where possible (e.g., 'acceptable annual loss <$500K', 'maximum acceptable downtime: 4 hours') and qualitative criteria for unmeasurable risks.
  4. 4.Translate tolerance statements into security metrics and KPIs that teams can operationalize.
  5. 5.Communicate approved risk tolerance to all stakeholders in writing, with clear ownership and approval chain.
  6. 6.Review and update risk tolerance annually or when business strategy, threat landscape, or regulatory environment changes materially.

Evidence auditors look for

  • Board-approved risk tolerance statement document with sign-offs from executive leadership.
  • Risk tolerance matrix mapping risk categories to acceptable loss thresholds and decision criteria.
  • Security program roadmap that references and prioritizes controls based on stated risk tolerance.
  • Meeting minutes from risk tolerance definition sessions showing stakeholder input and consensus.
  • Policy document embedding risk tolerance criteria into incident response and business continuity plans.
  • Annual risk tolerance review memo confirming continued alignment with organizational strategy.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically links your documented risk tolerance to control selection and residual risk calculations, ensuring every security investment you prioritize aligns with your stated risk appetite.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ID.RM-1: Risk Management ProcessID.RM-3: Risk Mitigation PrioritizationID.GV-1: Organizational GovernancePR.IP-9: Risk and Security Metrics