What best defines enterprise risk tolerance?

Risk tolerance is the organization-wide threshold for risk exposure—the maximum level of risk the entity is willing to accept in pursuit of its objectives. It turns the broader risk appetite into concrete, measurable limits that guide decisions, controls, and reporting across all parts of the organization. This concept is distinct from risk appetite, which describes the general willingness to take on risk, while tolerance specifies the actual boundaries for different risk categories. It isn’t about penalties or avoiding all risk; it’s about balancing risk and reward within the company’s capacity and strategy. It also isn’t framed as a benchmark against others but as a reflection of the organization’s own capacity to absorb or withstand risk.