Develop your technology risk appetite

Gartner Article

CISOs who define their technology risk appetite are in a better position to improve business performance, enhance their risk management processes and better meet external stakeholder expectations.


Business units such as Marketing or Supply Chain are constantly seeking ways to optimize their business and inject growth through technology adoptions. However, before they move forward, it is imperative that CISOs determine if the ideas fall within an acceptable range of risk. For companies with a defined technology risk appetite, this is straightforward business decision.  

So where do you begin to create a risk appetite statement?

  • Explain the risk concepts. Clarify terminology and taxonomy and cover the purpose, process and payoff expected of the risk appetite statement.
  • Validate the business case for risk appetite. Confirm the state of your risk management and the support needed to undertake a risk appetite project.
  • Assess business stakeholder perspective. Have participants convey their views on their preferred risk-taking posture and build a consensus on the appetite for risk in light of the organization’s risk philosophy.
  • Confirm and plan go-forward actions. Identify roles and responsibilities, set timelines and define critical success factors.

After you’ve finalized your risk appetite statement, determine how to best communicate it and break it into three critical parts:

  • What is important?
  • What is dangerous?
  • What is real?


Provide clear answers to each and highlight the areas that directly impact the business end-users. For anything which falls outside of this remit is considered to be outside of your technology risk appetite.

Join us to find out more.