The Cyber Academy take
Risk appetite is the amount and type of risk the organisation is willing to take to meet its objectives. Set at executive or board level, in writing. Without it, every risk-treatment decision is a personal judgement call by the risk team, and the audit will tear it apart. Pair with risk tolerance (the deviation tolerated around the appetite).
What risk appetite is for
Risk appetite exists to settle an argument before it happens. Every treatment decision, every "do we fix this or live with it", is really a question about how much risk the organisation is prepared to carry against the reward of pursuing its objectives. If that boundary lives only in the heads of the people running the programme, then each decision becomes a private judgement that nobody else signed, and that is exactly what an auditor or a board challenge will pull apart. A written appetite, owned at executive or board level, turns those scattered judgements into a stated organisational position. It is a steering instrument, not paperwork: it tells the risk team where they may proceed on their own authority and where a risk has to be escalated.
Crucially, appetite is set in the language of objectives, not as a single number. An organisation chasing aggressive growth in a new market will rationally accept more strategic and operational risk than one whose mandate is to protect a regulated, life-critical service. The board decides how much it is willing to expose to meet what it is trying to achieve. That is why appetite cannot be delegated to the security or risk function to invent on its own: it is a statement of intent that only the people accountable for the objectives can legitimately make.
Appetite versus tolerance versus capacity
These three are constantly confused, and the confusion is expensive. Appetite is how much risk you want to take in pursuit of objectives. Tolerance is the deviation you are willing to live with around that appetite before you act, the practical band on either side of the target. Capacity is the absolute maximum the organisation could absorb before its viability is threatened, regardless of what it wants. You set appetite below capacity on purpose, leaving headroom, and you express tolerance so that day-to-day variation does not trigger a crisis meeting every time.
| Concept | Question it answers | Who owns it |
|---|---|---|
| Risk appetite | How much risk do we want to take to meet our objectives? | Board / executive |
| Risk tolerance | How much deviation around that appetite will we accept before acting? | Executive / risk owners |
| Risk capacity | What is the most we could absorb before viability is at stake? | Board (a hard limit) |
How it shows up in the standards
In ISO 31000, risk appetite is part of the framework leadership establishes when it commits to managing risk: top management and oversight bodies are expected to define and communicate how much risk the organisation is prepared to take. ISO 27005 and the ISO 27001 information security management system rely on the same idea through risk criteria: before you can evaluate a risk, you need agreed criteria for what is acceptable, and those criteria are appetite made operational. The appetite is upstream of evaluation, and the criteria are how it gets applied consistently to each risk.
Appetite is not a poster on the wall. It only earns its keep when it is wired into the rest of the cycle. The risk evaluation step compares each analysed risk against the appetite-derived criteria to decide whether action is needed. The risk treatment decision, avoid, reduce, transfer or accept, is justified by reference to it: a risk accepted within appetite needs only a documented, authorised acceptance, while a risk above appetite demands treatment or formal, escalated sign-off. The risk register records where each entry sits relative to the appetite and who accepted what. When auditors find treatment decisions that nobody can trace back to a stated appetite, that is the gap that unravels the whole evaluation.
Practically, appetite is reviewed, not carved in stone. It is revisited as objectives change, after major incidents, and through management review, because an appetite set for last year's strategy quietly misdirects this year's decisions. The discipline is to keep it explicit, keep it owned at the top, and keep it connected to the criteria the team actually uses.
Frequently asked questions
01What is the difference between risk appetite and risk tolerance?
Appetite is the amount and type of risk the organisation wants to take to meet its objectives. Tolerance is the deviation it will accept around that appetite before it acts. Appetite is the target; tolerance is the acceptable band around it.
02Who should set the risk appetite?
The board or executive leadership, because appetite is a statement about how much exposure the organisation will accept to pursue its objectives. The risk or security team applies it, but cannot legitimately invent it on its own.
03Does it need to be written down?
Yes. An unwritten appetite means every treatment decision is a personal judgement that nobody formally authorised, which auditors and boards will challenge. A documented, owned appetite statement is what makes those decisions defensible.
04How does risk appetite relate to risk criteria in ISO 27005?
Risk criteria are appetite made operational. The appetite defines how much risk is acceptable; the criteria are the agreed thresholds the team uses to evaluate each risk consistently against that appetite.
05How often should risk appetite be reviewed?
Whenever objectives or context change significantly, after major incidents, and as part of management review. An appetite set for an old strategy will quietly steer current decisions in the wrong direction.