Risk Appetite
What is Risk Appetite?
Risk AppetiteThe aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
Risk appetite expresses, at a strategic level, how much risk an organization is prepared to take to create value. It is usually formalised in a risk appetite statement that covers categories such as financial loss, customer impact, regulatory exposure, and cyber incidents, often with high-level qualitative language. The statement guides risk tolerance, control investment, and treatment choices, and is cascaded into business unit metrics and key risk indicators. Boards and senior management are accountable for setting and revisiting appetite as strategy, threat landscape, or regulation evolves. Practical, measurable appetite statements are central to frameworks such as COSO ERM and ISO 31000.
● Examples
- 01
"Zero tolerance for unauthorized disclosure of regulated personal data."
- 02
"Willing to accept moderate financial volatility from new digital products within agreed limits."
● Frequently asked questions
What is Risk Appetite?
The aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Appetite mean?
The aggregate amount and type of risk an organization is willing to pursue or accept in pursuit of its strategic objectives, set by the board and senior leadership.
How does Risk Appetite work?
Risk appetite expresses, at a strategic level, how much risk an organization is prepared to take to create value. It is usually formalised in a risk appetite statement that covers categories such as financial loss, customer impact, regulatory exposure, and cyber incidents, often with high-level qualitative language. The statement guides risk tolerance, control investment, and treatment choices, and is cascaded into business unit metrics and key risk indicators. Boards and senior management are accountable for setting and revisiting appetite as strategy, threat landscape, or regulation evolves. Practical, measurable appetite statements are central to frameworks such as COSO ERM and ISO 31000.
How do you defend against Risk Appetite?
Defences for Risk Appetite typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Appetite?
Common alternative names include: Risk appetite statement.
● Related terms
- compliance№ 938
Risk Tolerance
The acceptable variation around a specific objective or risk category, expressed as concrete quantitative or qualitative limits derived from the broader risk appetite.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 383
Enterprise Risk Management (ERM)
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- compliance№ 939
Risk Treatment
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- compliance№ 923
Residual Risk
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.