According to ISO 31000, risk appetite is a higher level understanding of the amount and type of risk that an organization is prepared to pursue, retain, or take on an objective. Risk tolerance is understanding the levels of risk tolerance for that specific objective.

For example:

1. Mother, father, and child are at the park.
2. Father wants to throw the child in the air. The risk identified is that the child will get hurt.
3. Knowing that the father has a bond with his child, the mother allows this risk event to happen. This is the risk appetite.
4. The height at which the mother will stop the child from being thrown in the air is the risk tolerance.

So, besides knowing that vulnerabilities needed to be addressed through proper risk mitigation, we need to apply the same logic to how we look at the end-to-end processes that require multiple services and capabilities.

We need to be able to assign the appropriate risk appetite through communicating PIRs, and establish thresholds of enforcement through defining levels of risk tolerance.

If we know that we are going to pursue a change management process, then we will have to understand the risks of doing it in-house or vendor-supported (risk appetite), as well as identify and define the levels of performance that are expected (risk tolerance) with each entity involved in the process.