Risk Tolerance is the operational specification of Risk Appetite: it defines which deviations from risk management targets are still acceptable — and when escalation, countermeasures or reporting become necessary.
Risk Tolerance in supplier management
In TPRM, risk tolerance defines concrete thresholds: what cyber risk score of a supplier triggers a review? At what number of open critical vulnerabilities is a supplier relationship put on hold? These tolerance limits form the basis for automated escalation processes in 360TPRM.
Risk Tolerance is defined in 360TPRM as measurable thresholds — e.g. 'Cyber Risk Score below 70 = automatic escalation to CISO'.
Risk Tolerance and regulatory requirements
NIS2 and DORA implicitly require a defined risk tolerance: organisations must specify which risks are acceptable and what measures are taken when exceeded. DORA requires concrete thresholds for ICT incidents that trigger reporting obligations. These regulatory thresholds must be integrated into TPRM processes.
DORA defines concrete reporting thresholds for ICT incidents — organisations must align their risk tolerance with these regulatory limits.
Measuring and monitoring Risk Tolerance
Risk Tolerance is measured and monitored through Key Risk Indicators (KRIs). In the supplier context, 360TPRM delivers continuous KRIs for all suppliers — cyber risk scores, exposure data, breach intelligence. When a supplier exceeds the defined tolerance limits, automatic escalation occurs.
360TPRM continuously monitors all defined supplier KRIs and automatically escalates when risk tolerance is exceeded.
FAQ
Monitor Risk Tolerance automatically
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →