The organization's determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis