LR-201c · Module 2

Risk Tolerance Frameworks

3 min read

Not all risk must be eliminated. Some risk is acceptable — even desirable — given the business context. A startup launching an AI product accepts risks that a regulated financial institution cannot. A pilot deployment with ten internal users carries different tolerance than a production deployment serving a million customers. The risk tolerance framework defines what level of risk the organization is willing to accept, in which categories, and under what conditions.

Do This

  • Define risk tolerance levels per risk category — technical, operational, legal, reputational may have different thresholds
  • Tie tolerance levels to business context — deal value, client type, deployment scope, regulatory environment
  • Document risk acceptance decisions explicitly — who accepted, what risk, what conditions, what review cadence
  • Revisit tolerance levels when business conditions change — a new regulation may lower previously acceptable thresholds

Avoid This

  • Apply a single risk tolerance across all categories — legal risk tolerance should be lower than technical risk tolerance
  • Accept risk implicitly by not addressing it — unaddressed risk is not accepted risk, it is ignored risk
  • Set tolerance levels without stakeholder input — risk acceptance is a business decision, not a compliance decision
  • Lock tolerance levels permanently — they must evolve with the business and regulatory landscape

I use a three-tier tolerance framework. Green: risk is within tolerance, proceed with standard monitoring. Amber: risk is approaching tolerance limits, enhanced monitoring and mitigation planning required. Red: risk exceeds tolerance, deployment is blocked until mitigation brings the risk within tolerance or the business formally accepts the elevated risk with documented justification. The framework is simple. The discipline is in applying it consistently.