The Most Important Policy Nobody Can Explain

Problem: Most organisations have a risk appetite, but it lives as a vague paragraph that can’t survive a real decision.

Promise: By the end of this, you’ll be able to turn “risk appetite” from boardroom poetry into a usable boundary that shapes day-to-day choices.

Why nobody can explain it

Risk appetite often fails because it’s treated like a compliance artefact, something you ‘publish’ rather than something you ‘use’.  Even in mature organisations, it can stay a theoretical discussion instead of being integrated into strategic planning, which is exactly when it’s meant to matter most.

The second reason is language: people mix up appetite, tolerance, capacity, and ‘red/amber/green’ ratings, then wonder why teams interpret the same risk in opposite ways.  When the words aren’t shared, risk decisions default to personalities (the loudest voice, the most anxious stakeholder, or the highest-paid opinion) rather than governance.

A policy that must choose trade-offs

A real risk appetite statement isn’t “we have low appetite for cyber risk”, that’s just a preference wearing a suit. Instead, it should set boundaries around how much uncertainty you will accept ‘in pursuit of value’, because risk and reward are inseparable (no risk-taking leads to no reward).

One practical way to push it beyond cyber: treat risk appetite as your organisation’s answer to uncomfortable trade-offs. Speed vs. certainty, autonomy vs. oversight, innovation vs. explainability, cost vs. resilience. In an information security context, this becomes visible in choices like: “How much downtime is acceptable?”, “How much manual process is acceptable?”, “How much third-party dependency are we willing to carry?”, and “What kind of data use would damage trust even if it’s legal?”

Example: a fast-growing SaaS business says it has “low risk appetite,” yet continuously ships unreviewed changes on Fridays to hit revenue targets; its actual appetite is high for operational disruption and customer frustration, and low for missing growth numbers. That mismatch is where incidents, churn, and regulatory headaches are born.

Hear it from the experts. If we don't act now, we're f*cked.

• The EBA (European Banking Authority) defines risk appetite as “the aggregate level and types of risk that the PSPs (Payment Service Providers) and institutions are willing to assume within their risk capacity, in line with their business model, to achieve their strategic objectives.”
• COSO (Committee of Sponsoring Organisations) frames the work as three steps: develop risk appetite, communicate it, then monitor and update it. They also highlights four inputs leaders must confront: existing risk profile, risk capacity, risk tolerance, and attitudes toward risk (culture).

Make it executable (so it can be governed)

If risk appetite can’t trigger an action, it isn’t governance - it’s branding. The EBA’s ICT/security risk guidance makes this “operational”: risks should be identified, measured, monitored, managed, reported, and kept within the limits of the institution’s risk appetite.

To make appetite executable, translate it into decision rules people can apply without a workshop:

• Define 5–8 “appetite opportunity” aligned to objectives (e.g., customer trust, financial loss, operational disruption, legal/regulatory exposure, strategic dependency).
• Attach thresholds and escalation paths (what must be approved, by whom, and how fast).
• Build the feedback loop: track KRIs/KPIs and revisit appetite regularly (because appetite that never changes is usually denial).

If you remember only three things…

1. Risk appetite is a boundary for decision-making, not auditor reading.
2. If you're not losing something or making painful choices, your "appetite" is a lame fantasy.
3. Your "policy" is useless. Force the appetite into approvals, thresholds, and monitoring, or people will do what they want.

Try it once - pick one recurring decision (e.g., “ship vs. delay,” “accept vs. fix,” “onboard a supplier vs. find alternatives”) and write a one-page “risk appetite decision rule” for it, including:

• What you optimise for.
• What you won’t compromise.
• The threshold that forces escalation.

References:

• EBA Guidelines on ICT and security risk management https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2020/GLs%20on%20ICT%20and%20security%20risk%20management/872936/Final%20draft%20Guidelines%20on%20ICT%20and%20security%20risk%20management.pdf
• COSO ERM Framework Overview | FAMU https://www.famu.edu/administration/chief-operating-officer/enterprise_risk_management/erm_publications/erm_toolbox/COSO%20ERM%20Overview.pdf