Ask the Guru: Cybersecurity “Risk Appetite”

Ask the Guru: Cybersecurity “Risk Appetite”

Hey Guru
I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool.  What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board  has defined the institution’s risk appetite and it’s risk tolerance levels.

There are 6 references to “risk appetite” in the FFIEC cybersecurity tool, and although it is not a new concept in risk management, this is a term I have not seen in regulatory guidance before outside of lending and credit practices.  Here are all references in context:

  • The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.
  • The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement.
  • The risk appetite is informed by the institution’s role in critical infrastructure.
  • The independent audit function regularly reviews management’s cyber risk appetite statement.
  • The independent audit function regularly reviews the institution’s cyber risk appetite statement in comparison to assessment results and incorporates gaps into the audit strategy.
  • Threat intelligence is viewed within the context of the institution’s risk profile and risk appetite to prioritize mitigating actions in anticipation of threats.

Risk tolerance is pretty well documented in current guidance, and although there are subtle differences between the terms, I see risk tolerance and risk appetite as largely synonymous for most institutions.  Here is a good working definition of risk appetite:

The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.

How should you address cybersecurity risk appetite?  You probably already have both inherent and residual risk assessed in your cybersecurity risk assessment, and have identified each as either “High”, “Medium”, or “Low”.  Risk “appetite” is simply a decision by management that the residual risk level is acceptable.  In other words, management is willing to accept the remaining risk as the cost of achieving its objectives.

For example, you’ve identified a vendor as having high inherent risk, and applied the necessary controls to reduce the risk as much as you can.  The remaining (residual) risk is deemed by management to be either acceptable or unacceptable based on their risk tolerance.  So if you use a “High”, “Medium” and “Low” designation for residual risk, a value of “Low” or even “Medium” can be deemed acceptable if it is within the risk appetite of the institution.

Establishing your risk appetite for cybersecurity can be accomplished using either a qualitative or quantitative approach.  A quantitative approach requires an analysis of specific financial loss connected to a cybersecurity event.  While this is a valid way to document risk, it can be a challenge for all but the largest institutions.

Most institutions prefer a qualitative approach, which uses a scale (i.e. 1 – 10, or H, M, and L) to rank the impact of a cyber event on reputation risk, strategic risk, regulatory/legal risk and/or operational risk.  Management can then determine the level of acceptable risk in each risk category.  For example, you may decide you have a very low (1-3) tolerance for risks in the reputation category, but you may be willing to accept a higher level (3-5) in the operational area.

Free White Paper

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why some of the most commonly believed “facts” about IT outsourcing for banks are actually myths.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

Once you’ve established your risk appetite, the easiest way to document it is to add a “Risk Appetite” column to your existing cybersecurity risk assessment (ideally just after “Residual Risk”), where you designate remaining risk as either acceptable or unacceptable.

You might also want to amend your Information Security Policy to add a risk appetite statement.  Something like this:

“The Board has established specific strategic goals and objectives as defined in its strategic plan.  To increase the probability of achieving these goals, the Board has established acceptable risk tolerances within its risk appetite.  The board periodically reviews the risk appetite and associated tolerances, and may adjust them to adapt to changing economic conditions and/or strategic goals.”

Print Friendly, PDF & Email
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.


  1. Thank you for the information, how many risk category that we should include for Commercial Financial Insitutation? Any information from FFIEC Assessment Tool area? Thanks.


    1. Hi Nancy, thanks for the question. Some folks simply use “acceptable” and “unacceptable” as the residual risk categories, others use a more granular “H”, “M” and “L”, or even 1 – 5. The FFIEC Cyber Assessment Tool doesn’t specify a preferred way for institutions to measure residual risk, only that it be assessed and measured. Of course they use Least, Minimal, Moderate, Significant, and Most to measure inherent risk, and you could do the same for residual. That would allow you to show for example a Moderate inherent risk reduced to a Least or Minimal residual risk level after controls.

      Another approach is to measure inherent risks according to the CAT risk levels (Least, Minimal, etc.), and controls according to the CAT control maturity levels (Baseline, Evolving, Intermediate, Advanced, and Innovative), then determine whether residual levels are either high, medium or low (or acceptable/unacceptable). Hope this makes sense!

Write a Comment