Most everyone has trouble with these concepts and for good reason. COSO did not explain these at all well. Let’s translate COSO’s theory into real world practicality.
COSO says that
Risk Tolerance, on the other hand, is the range of potential results that you’re willing to accept in pursuit of a goal. For instance, one production strategy might deliver (with 99% certainty) production in the range of 100-110 units per hour. A totally different strategy might deliver (with the same 99% certainty) production in the range of 75 – 300 units per hour. If you feel more comfortable with the first strategy, you have a lower risk tolerance.
Think of it this way – risk appetite is all about goal setting. Risk tolerance relates to developing and selecting a strategy in pursuit of that goal. This is a huge simplification and there are many logical implications that can be explored, but this provides a firmer footing for discussion than COSO’s definitions.