Risk appetite and risk tolerance statements are established, communicated, and maintained
Risk appetite and tolerance statements answer the question of how much risk the organization is willing to accept before taking action. Without them, individual teams make ad hoc decisions that may wildly diverge from what leadership actually wants. Documenting these thresholds prevents both under-reaction (ignoring a risk that crosses a line leadership cares about) and over-reaction (spending resources on risks the business has implicitly accepted).
Implementation steps
- 1
Draft risk appetite and tolerance statements with leadership
Risk appetite is a qualitative statement (e.g., 'We have a low appetite for risks to customer PII'). Risk tolerance is the quantitative threshold (e.g., 'Any vulnerability with a CVSS score above 9.0 must be remediated within 72 hours'). Draft statements for key risk categories: data breach, availability, compliance, and third-party risk.
confluencegoogle-docsnotion - 2
Get executive or board approval on the statements
Risk appetite must be set by the business, not just the security team. Present the draft statements to the executive team or board and capture formal approval. Ensure the statements are realistic given current controls and budget constraints.
google-docsdocusignconfluence - 3
Distribute statements and integrate them into risk processes
Publish the approved statements in your risk management policy and make them available to anyone involved in risk decisions. Reference them in the risk register so that each risk entry is evaluated against the defined thresholds. Review and update annually or after major business changes.
confluencejiranotion
Evidence required
Risk appetite and tolerance statement document
A written, approved document containing qualitative risk appetite statements and quantitative risk tolerance thresholds for key cybersecurity risk categories.
- · Risk management policy including a dedicated appetite and tolerance section
- · Board-approved risk appetite statement with defined thresholds
- · Standalone risk tolerance matrix covering availability, data, compliance, and third-party risk
Evidence of communication and integration
Proof that the statements have been shared with relevant teams and are being used to guide risk decisions.
- · Risk register showing tolerance thresholds applied to each entry
- · Security team meeting notes referencing risk appetite in prioritization discussions
- · SLA or vulnerability management policy that cites specific tolerance thresholds
Related controls
Risk management objectives are established and agreed to by organizational stakeholders
Risk Management Strategy
Strategic direction that describes appropriate risk response options is established and communicated
Risk Management Strategy
Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions
Risk Management Strategy
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Risk Management Strategy