Every organisation has a risk appetite. Not all of them have written it down. The ones that have mostly describe tolerance.
A post by Ekaterina Zuckermann recently laid out a sharp three-question test for where risk appetite actually lives: who can stop work, under which conditions, and who absorbs the cost of stopping. A release manager who can block production over unresolved critical findings. A head of operations who can halt a plant restart over safety concerns. An incident manager who can isolate systems without waiting for executive approval. If stopping requires escalation, persuasion, or personal courage, the appetite is already high. Risk appetite lives where stopping is routine, not heroic.
It got me thinking about a pattern I keep seeing. Organisations that can answer those three questions clearly, and still have no functioning governance between what they say they will accept and what they actually do.
Two things that look the same and are not
Risk appetite is forward-looking. The level of risk an organisation is willing to accept in pursuit of its objectives, expressed in policy, guidelines, and board statements. What the organisation says it will do.
Risk tolerance is operational reality. The actual boundaries within which the organisation operates day to day, including where those boundaries get exceeded under pressure. What the organisation actually does.
Most organisations treat these as the same thing. They are not. The three-question test, who stops, under what conditions, and what happens to them afterwards, reveals where tolerance actually sits. That is valuable on its own. But it also exposes a gap that rarely gets discussed.
The gap nobody manages
Between appetite and tolerance sits governance. Most risk discussions skip this part entirely.
Governance is not a rulebook. It is not a compliance checklist. It is the deliberate, ongoing process of managing the distance between what the organisation says it will accept and what actually happens in reality.
Organisations live in that distance. That is normal. Every commercial operation makes trade-offs between objectives, and risk acceptance is built into those trade-offs whether anyone documents it or not. In practice, tolerance wins. Business deadlines, commercial pressure, and operational reality consistently override policy. This is how organisations function under pressure.
That is not automatically a failure. It becomes one when it happens silently and without accountability.
What conscious governance looks like
A critical business project has a hard go-live deadline. Three weeks out, security and privacy work is incomplete. Two assessments are not started. A data processing agreement is unsigned. The business sponsor has board visibility on the launch date.
Block the go-live and you protect the policy baseline. You also damage the business relationship and create an adversarial dynamic that makes every future conversation harder.
Accept a temporary exception and you acknowledge the gap. Document what is incomplete. Set a remediation timeline. Monitor actively. Leadership knows what they are choosing. Security is not pretending the policy applies. They are saying: under these conditions, with this timeline, and with this monitoring in place, we accept the risk.
The second option is not compliance failure. It is conscious risk acceptance. That is governance working.
Security professionals often miss this. The instinct is to enforce standards as hard baselines, pass or fail, compliant or non-compliant. But standards are direction, not destination. When security treats every policy as a binary gate, it positions itself as a blocker. That mindset is part of why security functions lose credibility with the business.
Good governance makes trade-off decisions explicit, not pretending the policy still applies when it does not. Leadership owns the decision, not pushing the cost downward to the person who raised the risk. The difference is documented, what was accepted, why, and what monitoring is in place. Temporary exceptions have defined end states. Not open-ended drift.
Why the gap stays open
If conscious governance is this straightforward, the obvious question is why so few organisations do it.
It is not because they lack frameworks. In regulated industries, most organisations have risk appetite statements, tolerance definitions, and governance committees. The vocabulary exists. The process exists on paper. In manufacturing and operational environments, many do not even have that. But both types face the same problem.
The problem is that closing the gap requires someone to put their name on a decision. A documented trade-off has an owner. An undocumented one does not. When a risk is accepted silently, everyone is protected. When it is accepted explicitly, the person who signed it is exposed.
That changes the incentives. Keeping the gap open is not negligence. For the individuals involved, it is the rational choice. Ambiguity protects everyone. Clarity protects the organisation but exposes the decision-maker.
This is why risk appetite frameworks can be sophisticated, well-funded, and completely ineffective at the same time. The framework exists to demonstrate that governance is happening. Whether it actually narrows the distance between appetite and tolerance is a different question, and one that most organisations prefer not to answer too precisely.
The real question
A conscious trade-off is a good one. An unconscious one is a problem.
Zuckermann’s three-question test tells you where tolerance sits. The question it opened up for me is what sits between tolerance and appetite, and whether anyone is managing it.
If your organisation cannot explain that difference, and cannot point to the governance process that manages the gap, the distance between appetite and tolerance is not a gap in the framework. It is the framework.
Part of the series: ‘From Paper ISMS to Working Security’
I advise manufacturing companies on security governance and risk management. If this resonates with challenges in your organisation, get in touch.