Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
Explanation
Risk appetite statements are typically broad declarations about an organization's willingness to accept risk, while risk tolerance metrics provide specific thresholds that define acceptable risk levels in quantifiable terms.
For example, translating a risk appetite statement of 'low tolerance for customer data breaches' into measurable metrics like 'zero critical vulnerabilities in customer-facing applications' or 'maximum 4-hour response time for security incidents involving customer data.' This translation enables consistent decision-making and clear accountability across the organization.
Evidence could include a documented risk tolerance framework that maps high-level risk appetite statements to specific metrics, thresholds, and key risk indicators (KRIs) that are actively monitored. This document would show how abstract risk concepts are operationalized into measurable controls that can be tracked and reported to management.
Implementation Example
Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements
ID: GV.RM-02.016
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Risk appetite and risk tolerance statements are established, communicated, and maintained
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?
- Does your organization integrate cybersecurity risk management into its enterprise risk management framework?

