Applied Risk Appetite

“There is a certain uselessness in saying an organization does not want to accept high risk.”

My latest @ISACA article was published and as I was re-reading this line it resonated with me even more. You have to have more fidelity in how you define risk appetite for it to be useful. More tips on how to do that in the full article here.

One thought on “Applied Risk Appetite”

  1. I’m always a little confused with risk appetite, I feel it rarely is of value when looking at single incidents but these are always the example I see. When you say ““We do not accept losses associated with IT risk scenarios in excess of US $1 million per incident.”
    In reality, the company has a certain budget set aside for that year for information security and maybe another “contingency budget” The risk appetite changes as these budgets are consumed, for example, you deal with risks 200K, 300K, 150K now the 1Milion risk appetite has probably to be reset to something lower.
    So how do we practically deal with risk appetite when looking at aggregated risk rather than individual loss events?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s