Risk appetite is the total risk the organisation can bear in a given risk profile, usually expressed in aggregate. In contrast, risk tolerance is the level of risk that an organisation can accept per individual risk; risk tolerance is related to the acceptance of the outcomes of risk should they occur and having the right resources and controls in place to absorb or “tolerate” the given risk, expressed in qualitative and/or quantitative risk criteria. On the other hand, Risk appetite is related to the longer-term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.