Risk Appetite 

Gartner Security & Risk Management Summit 2019

Risk Appetite

Learning your organization's risk appetite is fundamental for establishing proper accountability for managing risk. CISOs, IT security and risk management leaders need to work with business stakeholders to determine organizational risk appetites.


Key Challenges

  • The majority of enterprises don't fully grasp what their appetite for technology risk is, leading to poor decisions about risk treatment and acceptance.
  • Without a solid comprehension of evolving enterprise risk appetite, it will be impossible to properly match risk to risk treatment efficiently and effectively.
  • Security and risk management leaders are challenged when engaging with business stakeholders on how to create and articulate risk appetite statements that are not too broad or too granular.
  • The focus of risk appetite discussions tends to be based on quantitative risk models, which are often not workable or defensible.


Gartner recommends CISOs, IT security and risk management leaders should do the following: 

  • Articulate and socialize the concepts of risk appetite and risk tolerance with technology and business stakeholders.
  • CISOs should engage business stakeholders in workshops to discuss the current risk landscape, possible scenarios for current and future business initiatives that may lead to excessive risk and how to assess risk prioritization.
  • Create simple, practical and pragmatic risk appetite statements that are linked to business goals and risk treatment plans.

What is Risk Appetite?

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings. 

Risk Appetite Sessions

A Practical Guide to Creating a Useful Cybersecurity Risk Appetite Statement

  • What is risk appetite and why you need to know yours?
  • Best practices for having risk appetite discussions.
  • What does a good cybersecurity risk appetite statement look like?


View all risk sessions

Your last chance to join Europe’s best security leaders. View pricing.