Risk is inherent in any business. It’s how an organization understands and manages it that makes all the difference.

From operational challenges to market volatility, regulatory changes and technological advancements, companies face a spectrum of uncertainties that could either generate growth or lead to losses.

To effectively manage them, a business needs to set out a framework that helps it determine just how much risk it’s willing to accept in pursuit of its objectives. This is where the concept of "risk appetite" comes into play.

But to define its risk appetite, a company has to see and understand all the risks it faces. And for security teams that are laying the groundwork for their exposure management strategy, defining their organization’s risk appetite is a critical step.

What is risk appetite?

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives. Defining it sets boundaries for the organization regarding what risks it will take and to what degree. A high risk appetite means being open to accepting greater risks for possibly higher rewards, while a low risk appetite means the organization prefers reducing risk as much as possible.

Consider a tech startup that wants to invest in cutting-edge research and development. It may adopt a higher risk appetite to achieve disruptive, breakthrough innovations, knowing that the potential rewards are worth the uncertainty. Conversely, a large, well-established corporation might have a lower risk appetite, focusing on steady growth while avoiding projects that could significantly harm its market position or reputation.

Risk appetite is both quantitative and qualitative

Risk appetite is never static; it’s a dynamic measure that should be adjusted based on factors such as industry, company size and health, strategic objectives, regulatory requirements and the overall market environment.

Nor is it just about the numbers: risk appetite is a blend of both quantitative and qualitative factors.

On one hand, a business may have measurable elements like how much loss it’s willing to tolerate, its debt ratios and what kind of return on investment (ROI) it’s shooting for. It may also have subjective aspects to consider, such as the potential effect on company reputation, ethical considerations and how well its decisions align with its core values.

Why is it important to define risk appetite?

Nearly any organization that wants to succeed has to take calculated risks. But without a clear understanding of its risk appetite, it can wander into inconsistent, reactive or overly cautious decision-making. That can lead to missed opportunities or business losses. Here's why defining risk appetite is essential:

To align strategy and risk management

Having a clearly defined risk appetite provides a strategic framework that aligns risk management practices with overall business goals. When an enterprise knows how much risk it is willing to accept, it can pursue opportunities that match its risk appetite while avoiding others that might expose it to undue risk.

To improve decision-making

Defining risk appetite allows leaders and managers to make informed decisions by clearly understanding what constitutes an acceptable risk. It also sets expectations for both risk-taking and risk-avoidance behaviors across the organization, helping managers evaluate risk/reward trade-offs in different scenarios.

To build stakeholder confidence

A clearly defined risk appetite reassures investors, regulators, employees and other stakeholders that the organization prioritizes risk management. It also demonstrates a methodical, trustworthy approach to balancing risk against reward, further shoring up stakeholder confidence.

To promote consistency

When everyone in an organization “gets the memo” on how much risk is permissible, that helps them make consistent decisions because they all understand what's an acceptable gamble. This means there’s less chance of working at cross-purposes or even pulling in opposite directions. For instance, a legal department might put the brakes on a marketing team’s Big Idea if they don’t share the same notion of acceptable risk.

To support effective risk monitoring

When companies define their risk appetite, they can set up systems to monitor risk levels across the entire enterprise, from finance to operations. Thus, they’re able to spot potential issues early and ensure activities stay within the boundaries of what’s seen as safe — or at least acceptable. Setting and monitoring key risk indicators (KRIs) provides early warnings if somebody is coming too close to those boundaries.

How does a company define its risk appetite?

Typically, an organization does this by drafting a risk appetite statement (RAS). The first parts of an RAS lay out the company’s strategic objectives and the risks involved.

A company might want to become the leading software provider in their industry. They should list the strategic objectives that are vital to reaching that goal and also list the risks associated with them. For instance, Ivanti is in the business of delivering cloud-based IT services and security management solutions. That means it’s incumbent on us that our risk appetite statement catalogs all the risks involved in that line of business and explains how we’ll manage them.

Here’s an example of how one section of a risk appetite statement might look for a software provider:

General Risk Appetite

[Company XYZ] adopts a balanced approach to risk, recognizing that not all risks are equal and that some level of risk is necessary to achieve our strategic goals.
Innovation Risk We have a high risk appetite for investing in advanced technologies and innovative solutions that differentiate our products in the competitive landscape. We understand this requires accepting a degree of uncertainty in R&D and product development.
Operational Risk We maintain a low to moderate risk appetite. While striving for operational excellence, we prioritize initiatives that improve efficiency and service quality without compromising our delivery standards.
Security Risk We have an extremely low risk appetite for security threats and breaches. Our commitment to network security and data protection is paramount, and we invest substantially in safeguarding our systems and our clients’ data.
Compliance Risk We have a low risk appetite for non-compliance with legal and regulatory requirements. Ensuring adherence to relevant laws, standards and best practices in all operational areas is critical.

The RAS should define the risks that would have the greatest impact on the organization, not everyday risks that are simply part of doing business. It ought to account for multiple risk scenarios; for instance, a specific strategy may entail supply chain risk, such as the effects of being locked into a vendor or the dangers of regulatory exposure if a supplier mishandles customer data.

It should also define the amount of financial risk a company is willing to take on. If its objectives include offering a new product or service, there's always a chance of failure in the marketplace.

Components of risk appetite

These are key factors that have to be considered in defining risk appetite:

Risk capacity

This refers to the maximum amount of risk that an organization can bear. Financial resources, operational capabilities and regulatory constraints decide this. And risk capacity differs from risk appetite: an organization may have the capacity to take on a certain level of risk but might choose not to, based on its risk appetite.

Risk tolerance

Whereas risk capacity is about how much risk an organization can withstand, risk tolerance is an acceptable deviation from its target. It may even set different tolerances for different areas. For example, an organization might be good with taking a chance on a new product, but risk-avoidant about managing customer data.

Risk thresholds

We’ve mentioned risk monitoring and KRIs above, as they’re used to keep a company from crossing risk thresholds — the “red lines” that represent too much risk. Crossing a risk threshold might require a change in plans, increased safety measures or even a complete halt to what they’re doing.

Related: Ivanti Research Report: Aligning Perspectives: Cyber Risk Management in the C-Suite

Why is risk appetite important in exposure management?

Once upon a time, mitigating digital risk was much simpler than it is today. That’s because most large organizations’ attack surfaces have vastly expanded over time. The addition of more devices and applications, used by employees in more places, have transformed the workplace and expanded the digital threat landscape.

It’s one reason why Ivanti research found that more than half of IT professionals are not very confident they can prevent a damaging security incident in the next 12 months. More than one in three even say they’re less prepared to detect threats and respond to incidents than they were a year ago.

Traditional vulnerability management has long been focused on reactively remediating software and hardware vulnerabilities and other CVEs, but usually only applies intermittent scans. But today’s cyberthreat scenario demands a new approach.

Modern exposure management is focused on continually, proactively finding and remediating risks and vulnerabilities across the entire digital attack surface. That’s whether they arise from exposed IT assets, unsecured endpoints and applications, cloud-based resources or other vectors. What makes exposure management and risk appetite so intertwined?

  • Assessing exposure according to acceptable risk levels: Exposure management involves quantifying the risk levels associated with different exposures. By defining acceptable risk, organizations can compare the possible impact of different risks with their risk appetite.
  • Deploying resources based on risk: Organizations must prioritize which exposures pose the greatest threat to their strategies – an assessment they can only make with a clear understanding of their risk appetite. That prioritization lets them concentrate resources on mitigating the most critical ones, often with the help of an advanced RBVM tool.
  • Adjusting risk appetite: As a business environment changes or new risks emerge, risk appetite may need to be adjusted. The data and insights organizations uncover as part of their exposure management practice help them make informed decisions around such adjustments.
  • Ensuring compliance: Many industries have regulatory requirements related to risk management, which in turn influence an organization’s risk appetite. Exposure management involves identifying and addressing risks that could cause non-compliance.

Related: Ivanti Research Report: Attack Surface Management

Looking at security risk through the lens of exposure management

A notable difference between exposure management and other security practices is that exposure management includes not just prioritizing remediation of the risks that pose the most risk to the organization, but actively defining which risks fall within an organization’s risk tolerance. For example, an e-commerce company may be willing to accept heightened security risks in order to keep their site functional on Black Friday – the tradeoff is worth it to them.

Instead of viewing every potential risk as a crisis that needs instant remediation, organizations need to prioritize them based on business needs. In this framework, most risk isn’t bad: it’s about how you react to it, control it and mitigate it to bring it to an acceptable level.