GV.RM-02.017

Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

Explanation

This question assesses whether your organization regularly evaluates and adjusts its risk tolerance thresholds and strategic objectives in response to changing threat landscapes and actual risk exposure. As business conditions, technologies, and threats evolve, organizations need to recalibrate their risk appetite to ensure security controls remain aligned with business priorities and acceptable risk levels. Without this periodic refinement, security controls may become misaligned with actual business needs or fail to address emerging risks adequately. Evidence of compliance could include documented risk appetite statements with revision history, minutes from risk committee meetings showing periodic reviews, formal reports comparing actual risk exposure against defined thresholds, or updated risk management policies with approval dates and signatures from executive leadership.

Implementation Example

Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk

ID: GV.RM-02.017

Context

Function
GV: GOVERN
Category
GV.RM: Risk Management Strategy
Sub-Category
Risk appetite and risk tolerance statements are established, communicated, and maintained

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron