Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
Explanation
Risk appetite statements define the types and amounts of risk an organization is willing to accept in pursuit of its objectives.
These statements should be tailored to different business functions and should guide decision-making processes when evaluating security controls, investments, and operational procedures.
Without clear risk appetite statements, organizations may implement inconsistent security measures or make decisions that expose them to unacceptable levels of risk.
Evidence of fulfillment could include a formal risk appetite framework document, board-approved risk appetite statements, internal communications distributing these statements to relevant stakeholders, or meeting minutes showing regular review and updates to risk appetite statements based on changing business conditions.
Implementation Example
Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization
ID: GV.RM-02.015
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk appetite and risk tolerance statements are established, communicated, and maintained
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
- Does your organization integrate cybersecurity risk management into its enterprise risk management framework?

