Risk appetite is the amount and type of risk an organization is willing to accept to achieve its strategic objectives.
Risk appetite defines the boundaries within which the organization operates regarding risk. It is set at top management level and broken down into risk tolerances (acceptable ranges per process) and risk thresholds (escalation points). It is a critical input for risk assessment and treatment in ISO 31000 and any ISMS.
Top management or the board, with advice from the risk officer. It is a strategic decision that cannot be delegated to operational levels.
Through a formal statement establishing risk categories, acceptable levels for each and escalation criteria when thresholds are exceeded.
Need an assessment in this area?