Risk Appetite
The level and type of risk an organization is willing to accept in pursuit of its objectives. Risk appetite defines the boundaries within which the organization operates and guides decision-making about which risks to accept, mitigate, transfer, or avoid.
Risk appetite is a strategic concept that bridges executive leadership and operational risk management. It establishes the overarching level of risk an organization is prepared to bear, considering its strategic objectives, industry context, regulatory environment, and stakeholder expectations. Risk appetite is typically expressed through qualitative statements (such as 'the organization has a low appetite for risks that could result in regulatory sanctions') and quantitative thresholds (such as maximum acceptable financial loss or downtime hours). A closely related concept is risk tolerance, which defines the acceptable variation around specific risk metrics.
Defining and communicating risk appetite is a governance requirement across multiple compliance frameworks. ISO 27001 Clause 6.1 requires organizations to establish information security risk criteria, which inherently involves defining risk appetite. The risk assessment process must evaluate risks against these criteria to determine which require treatment. SOC 2's risk management requirements expect organizations to have a defined approach to risk that includes appetite and tolerance levels. NIS2 requires essential entities to have governance-level oversight of cybersecurity risks, which naturally includes defining organizational risk appetite. In technology due diligence, a clearly articulated risk appetite demonstrates mature governance and helps assessors understand the organization's security investment decisions.
In practice, establishing risk appetite requires collaboration between the board or senior management, risk management functions, and operational teams. The process typically involves identifying the organization's key objectives and the categories of risk that could threaten them, defining appetite levels for each category (information security, financial, operational, reputational, regulatory), and cascading these into operational risk tolerance thresholds that can guide day-to-day decision-making. Risk appetite should be reviewed regularly - at least annually and whenever significant changes occur in the business environment, threat landscape, or regulatory requirements. Importantly, risk appetite is not static; it may change as the organization matures, enters new markets, or faces new threats.
Related frameworks
Related terms
Residual Risk
The level of risk that remains after security controls and risk treatment measures have been applied. Residual risk must be formally evaluated and accepted by management to ensure it falls within the organization's defined risk appetite.
Risk Register
A structured document or database that records all identified risks, their assessment details (likelihood, impact, rating), assigned risk owners, selected treatment options, current control status, and residual risk levels. It serves as the central repository for an organization's risk management activities.
Risk Treatment
The process of selecting and implementing measures to modify identified risks. The four primary risk treatment options are risk mitigation (applying controls to reduce risk), risk acceptance (acknowledging and tolerating the risk), risk transfer (sharing risk with a third party such as an insurer), and risk avoidance (eliminating the risk by ceasing the activity).
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessmentFree plan · No credit card required