What is Risk Appetite, Tolerance & Threshold?
Three nested dials: appetite is the general disposition — how much uncertainty the organization is willing to pursue for reward ("we accept aggressive schedule risk to be first to market"). Tolerance is the acceptable range around objectives ("±10% on budget"). Threshold is the hard number that triggers action or escalation ("any risk above $500K exposure goes to the board").
Exam pattern: appetite is qualitative strategy, threshold is the quantified line. When a scenario quotes a specific figure someone must not cross, that's a threshold speaking.
Worked example
A biotech's appetite: bold on science risk, zero on compliance risk. Its tolerances: trial timelines ±3 months. Its thresholds: any single risk >$2M or any compliance risk at all escalates immediately. When a $1.8M equipment risk appears, the project manages it; when a $150K record-keeping gap appears, it's in front of the board in 48 hours — small money, zero appetite. The dials, not the dollar size, made the call.