GV.RM-02.015
Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
Explanation
Risk appetite statements define the types and amounts of risk an organization is willing to accept in pursuit of its objectives. These statements should be tailored to different business functions and should guide decision-making processes when evaluating security controls, investments, and operational procedures. Without clear risk appetite statements, organizations may implement inconsistent security measures or make decisions that expose them to unacceptable levels of risk. Evidence of fulfillment could include a formal risk appetite framework document, board-approved risk appetite statements, internal communications distributing these statements to relevant stakeholders, or meeting minutes showing regular review and updates to risk appetite statements based on changing business conditions.
Implementation Example
Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization
ID: GV.RM-02.015
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk appetite and risk tolerance statements are established, communicated, and maintained
