June 4, 2013

What is Risk Appetite?

Governance, Risk and Compliance (GRC) sounds quite a complicated subject to a number of people. I felt the same way when I started my career in this exciting field of Risk & Security. Just like me you must have heard two terms, “Integrated GRC Framework” and “Risk Appetite”, used quite a lot in your organisation. Integrated GRC Framework is a complicated subject; it’s quite difficult to explain this in one blog post so I will cover the first concept –“Risk Appetite” – that is really important to understand. I heard about this popular term few years back. This term puzzled me for quite some time before I could get understand clearly what this really means in simple terms.

Google LogoTo understand this term, I went to our friend Google to ask him “What is Risk Appetite?” Google responded with 2.3 million results. There were so many blog posts, article and publications around this topic and I struggled to understand which one is the best answer.


I read a number of documents and posts but still, I did not feel confident enough to be able to explain this to a common person in simple terms. Then, I went to another source, Wikipedia. Wikipedia defines Risk Appetite as, “The level of risk that an organization is prepared to accept, before action is deemed necessary to reduce it. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings on”. Now that does not help either, is it?

AppetiteI went to my friend Google again and this time looked up dictionary meaning of the Appetite:

  • An instinctive desire, especially one for food or drink
  • A strong wish or urge


When you apply this meaning to Risk Appetite, it translates to “An instinctive desire or A strong urge To Take On Risk”. I will try to explain this with a simple example. Every weekend when I decide to take my family out in our car, I know in my head that I am taking a risk. We can have an accident which could harm me and my family. But I decide to take that risk, why, because Belt-Up-for-Life

  • All of us will be wearing seat belts
  • My car has airbags
  • My car has good security features
  • I am a good driver
  • I have good reflexes
  • I am not going to cross speed limit
  • I am going to be careful
  • There are laws and regulations that every other driver has to abide to

Now, what this means is that it’s within my appetite so I decide to “Take That Risk”.

Now consider an alternate scenario, my car has gone to the garage, and a friend offers to drive us to our destination. However, in this scenario, I have to take following points in to consideration:

  • I know he has a history of speeding
  • His car does not have good security features
  • He does not maintain his car well
  • He has been disqualified once and
  • He appears to be under the influence of alcohol

In these circumstances, it is NOT within my appetite so I decide to “Avoid Taking That Risk”.

All of us practice risk management knowingly or unknowingly in our daily lives. We adjust our Risk Appetite based on various factors, for example, surrounding environment, place, time of the day etc. When we are walking down a known street during the day time, we might be less cautious of our surroundings. However, if we are walking on an unknown street during the night and there are not many people around, we become more attentive and aware of our surrounding and take appropriate steps to stay within our risk appetite.

So put it simply, Risk Appetite is “An instinctive desire or A strong urge To Take On Risk”.

by Jitender with 9 comments filed under Compliance Management, GRC, Risk Management


  • Patrick

    Nice one Jitender 🙂

  • Krish

    Nicely put mate.

  • Jitender

    Thanks Patrick & Krish. I am glad that you liked it

  • Andrew Rose

    Hi Jitender,

    now we need to push onto the REALLY interesting conversation of how do you quantify and document your risk appetite? Taking it from an intuitive gut feeling (which is how many CISOs work it) to a process!

    Look forward to catching up next week!

    • Jitender

      Hey Andrew,

      Agreed, it’s about time that we have a clear definition of Risk Appetite and a methodology to come to a clear definition of Risk Appetite. Being said that, while we continue on that journey, gut feeling is not a bad thing necessarily.

      I have often seen that security & risk locking horns with business on Risk Ratings and sometimes that deviates whole conversation from Risk Remediation to disagreement on Risk Ratings.

      There is a lot of work needs to be done in this space and security leaders need to take a lead on driving maturity within their organisation.

  • John

    Like many things in RM, we tend to over complicate things. I see tour point, but would not use it as a definition. Appetite is a measurement of the level of risk someone / thing is willing to take. Or not take, if you look at it the other way round.

    • Jitender

      Hi John, thanks a lot for your comment and reading my blog post. I understand your point. Definition mentioned by me was more from a simplistic angle by relating it to the word appetite.

  • Rakkhi

    Not a bad definition… not a huge fan of the instinctive word in the definition though. There is a lot of bias that you are even not aware of when it comes to “gut feel”.

    Also what you gave was a very clear cut example. Where we face this in security, especially in large corporates is a lot more grey. E.g. is putting a CRM system in the cloud to save 40% TCO within appetite? BYOD, using something as simple as Google docs.

    Because the infomation risk field is not mature and we lack a lot historical data and we deal with long tail / black swan events it is very hard to clearly say something is within risk appetite or not. Even in your example: how many of those controls can be removed (without going to the extreme of the second scenario) and still be within appetite? Is that justifiable and repeatable?

    • Jitender

      Hi Rakkhi, long time 🙂 I did not want to explain this using any academic term so tried to make it simple. End of the day business has a finite money to spend on controls and it’s always about striking the right balance between investment on controls versus risk exposure. Any business spending excessive money on controls will face the issue of continuous spend. An important to aspect to consider is that it’s not one time investment to put in a controls, but continuous spend associated with the control to make sure it’s working and effective.

    Leave a Comment

    Your email is never shared.
    Required fields are marked *