• Product
      • ROAR Platform
      • ZenComply
      • ZenRisk
      • ZenGRC Platform
      • Risk Intellect
      • Pricing
    • Solutions
      • By Industry
        • Technology
        • Financial Services
        • Hospitality
        • Healthcare
        • Government
        • Education
        • Retail
        • Media
        • Insurance
        • Manufacturing
        • Oil & Gas
      • By Framework
        • Popular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • Privacy
          • CCPA
          • GDPR
        • Health Care
          • HIPAA
        • Government
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • Finance
          • SOX
          • COBIT
    • Success
      • GRC Experts
      • Customer Success
      • Services
    • Resources
      • Resource Center
      • Reciprocity Community
      • Newsroom
      • Events
      • Blog
      • Customer Stories
      • Content Registry
    • Company
      • About Us
      • Contact Us
      • Careers
      • Leadership
      • Trust Center
      • Partners
    Try it free
      Get a Demo Try it free

        Risk Appetite Statement Examples

        Published March 24, 2022 • By Reciprocity • Blog
        Image

        It might seem strange to refer to a component of your cyber risk management plan as an “appetite” – but defining your organization’s appetite for risk is indeed part of risk management, and an important one.

        Put simply, risk appetite is the level of risk your organization will accept in your business proceedings, and what you plan to do about those risks. This includes any risk-taking needed to meet your success metrics, as well as the risk management you have in place to protect against those threats.

        A risk appetite statement puts those decisions in writing, tying them to your broader business objectives. It’s a living document, critical to risk management since it helps to establish parameters and priorities for your policies, procedures, and internal controls.

        How Do You Write a Risk Appetite Statement?

        First, a CISO should never make major risk management decisions alone. You should assemble key stakeholders and senior management from across different departments within your organization to help you evaluate goals. These conversations will guide your continued risk management even after your initial risk appetite statement is drafted.

        Once you have your team together, decide on shared terms to keep the document concise and unified. Different groups may have different internal vocabulary for the same business objective, and you’ll want to be sure everyone speaks with a common language for a smooth decision-making process.

        You’ll need to prioritize strategic objectives in relation to risk tolerance and success metrics across your organization. You may have already done this if you’ve recently completed your regular cyber risk assessment. You can look at your risk profiles within that assessment to get an idea of how to proceed. Additionally, consider strategic risks that may not have directly been addressed in your prior assessment: what risk tolerance does your company have for losses from failed business decisions?

        One way to categorize your operational risks is to assign them different risk profiles. This may come naturally via prioritization, but if you need an example, you can look to the U.S. Agency for International Development’s (USAID) 2018 risk appetite statement.

        USAID breaks things down into risk categories including:

        • Programmatic
        • Fiduciary
        • Reputational
        • Legal
        • Security
        • Human capital
        • Information technology

        USAID then assigns each category an “overall risk appetite,” ranging from high to low, which you can see in greater detail in USAID’s risk appetite statement. Each category has a risk profile and smaller breakdowns by operational risk. Then USAID lists relevant regulators and internal controls for risk management.

        Of course, this is only one type of risk appetite statement. Your risk managers should spend time reviewing exemplary statements together. This post contains a few examples to get you started, which you can see below.

        Examples of Risk Appetite Statements

        USAID has a thorough risk statement that is worth reading as a primer for what an extensive appetite statement can encompass. For example, from the 2018 statement:

        “We have a MEDIUM risk appetite with regard to: Implementing long-term strategic focus in our country programs. We will set priorities and implement long-term strategic focus in our country programs based on rigorous analysis and collaboration with key stakeholders to achieve more effective results. We will also continually balance this with our obligation to implement initiatives, directives and/or priorities from Congress and the interagency not foreseen during the strategy development process.”

        In this example, the agency clearly states the level of risk appetite for a specific instance. You can see in the document itself how the agency breaks down associated risks for each category, including mitigation techniques for those smaller subcategories.

        Another example of a risk appetite statement comes from the Office of the Comptroller of the Currency (OCC), a regulator for retail and community banks in the United States:

        “The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology.”

        Note in this example how it’s possible to have “no appetite” for a certain type of risk. In this instance, it makes sense that an organization dedicated to ensuring the safety and security of financial institutions doesn’t want to take any chances with information systems and confidential data.

        On the other hand, the OCC is willing to take some risks to develop improved systems and to try innovative technology to meet user demand. Its mitigation technique for this moderate appetite is to think through decisions for new programs via their organization’s governance.

        ZenRisk and Your Risk Appetite Statement

        Risk-taking is a key part of success for many businesses, and is not something to be avoided. That does not mean you have to tolerate an amount of risk beyond your decided acceptable levels.

        You can maintain a healthy, regular cybersecurity routine via Reciprocity ZenRisk. You’ll have access to seamless data flows in one enterprise risk management dashboard, allowing you to monitor changes and quickly export data on new potential threats. A tool like ZenRisk makes maintaining a living risk appetite statement that much simpler.

        Learn more by requesting a demo today.

        Latest Blog

        Vulnerability Scanners: Passive Scanning vs. Active Scanning

        Learn more

        Risk Control Measures That Work

        How to Use Cyber Assurance Programs to Manage Risk Based on Business Outcomes

        Creating a Vendor Risk Management Framework

        Get Cyber Risk Clarity Free and Easy

        ROAR Platform: Try it Free
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • GRC Experts
        • Customer Success
        • Services
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners

        (877) 440-7971

        Contact Us

        (877) 440-7971

        Contact Us

        © 2022 All rights reserved

        Privacy Policy