Software Engineering Institute

So what is risk appetite? It is the amount and type of risk that an organization is willing to accept. In other words, risk appetite specifies value ranges for key performance indicators. Examples of these include:

• % of failed business transactions: <2%
• market-to-book ratio: 1.0x-1.5x
• # of high severity compliance issues: 0
• % customer satisfaction: >88%

Note that risk appetites will vary widely by organization, and much like those that I mentioned, may not mention cybersecurity at all!