1. Purpose
Define and communicate [ORGANIZATION]'s tolerance for cyber risk across different risk categories and business domains, providing the quantitative and qualitative boundaries within which risk management decisions are made.
2. Scope
This statement applies to all cyber risk management decisions across [ORGANIZATION], from strategic investment prioritization to operational risk acceptance.
3. Policy Content
3.1 Risk Appetite Principles
[ORGANIZATION] recognizes that some level of cyber risk is inherent in achieving business objectives and that eliminating all risk is neither feasible nor desirable.
Risk appetite is defined at the enterprise level by the [CUSTOMIZE: Board of Directors / Board Risk Committee] and cascaded through risk tolerance levels to business units and operational functions.
Risk appetite boundaries are not static and shall be reviewed at least [CUSTOMIZE: annually] or when triggered by significant changes to the business environment, threat landscape, or regulatory requirements.
3.2 Enterprise Cyber Risk Appetite
[ORGANIZATION] has an overall [CUSTOMIZE: LOW / LOW-TO-MODERATE] appetite for cyber risk, reflecting its obligations to [CUSTOMIZE: customers, regulators, shareholders, and the public].
The following appetite levels are established by risk category:
| Risk Category | Appetite Level | Rationale |
|---|---|---|
| Customer Data Confidentiality | [CUSTOMIZE: Very Low] | Regulatory obligations and customer trust requirements |
| System Integrity | [CUSTOMIZE: Low] | Business process reliability and regulatory reporting accuracy |
| Service Availability | [CUSTOMIZE: Low-to-Moderate] | Criticality of services and customer impact of disruption |
| Regulatory Compliance | [CUSTOMIZE: Very Low] | Zero tolerance for knowing non-compliance; low appetite for compliance gaps |
| Third-Party Risk | [CUSTOMIZE: Low] | Dependency on third parties for critical services |
| Insider Threat | [CUSTOMIZE: Low] | Access to sensitive data and critical systems |
| Emerging Technology | [CUSTOMIZE: Moderate] | Balanced need for innovation against unknown risk profiles |
| Reputational Impact | [CUSTOMIZE: Very Low] | Brand value and stakeholder confidence |
3.3 Risk Tolerance Thresholds
Risk tolerance thresholds translate the qualitative appetite into measurable boundaries that trigger escalation and action:
GREEN (Within Appetite): Risk levels are acceptable. Continue monitoring per the defined cadence. No escalation required.
AMBER (Approaching Appetite Boundary): Risk levels are trending toward the appetite boundary. Enhanced monitoring required. Risk owner must develop a treatment plan within [CUSTOMIZE: 30 days].
RED (Exceeding Appetite): Risk levels have exceeded the defined appetite. Immediate escalation to [CUSTOMIZE: CISO/Executive Risk Committee] required. Treatment plan with timeline required within [CUSTOMIZE: 5 business days].
CRITICAL (Material Breach): Risk levels represent an immediate threat to the organization. Immediate escalation to [CUSTOMIZE: CEO/Board] required. Emergency response procedures activated.
3.4 Risk Acceptance Authority
Risk acceptance decisions must be made by individuals with authority commensurate with the residual risk level:
| Residual Risk Level | Acceptance Authority | Maximum Duration | Review Frequency |
|---|---|---|---|
| Low | [CUSTOMIZE: Department Manager] | 12 months | Annually |
| Medium | [CUSTOMIZE: VP / Senior Director] | 12 months | Semi-annually |
| High | [CUSTOMIZE: CISO / CRO] | 6 months | Quarterly |
| Critical | [CUSTOMIZE: Executive Committee / Board] | 3 months | Monthly |
3.5 Approval and Review
This Risk Appetite Statement is approved by [CUSTOMIZE: Board of Directors / Board Risk Committee].
It shall be reviewed at least [CUSTOMIZE: annually] and updated when business strategy, regulatory environment, or threat landscape changes materially affect the organization's risk profile.
Changes to the risk appetite require approval at the same authority level as the original statement.
4. Compliance
Compliance with this policy is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control