Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is a strategic choice made by executive leadership and the board, not a technical determination. An aggressive fintech startup and a federal healthcare agency would have very different risk appetites.
Risk appetite differs from risk tolerance, which is the acceptable variation around the risk appetite target. If an organization allows up to $1 million in annual security losses, its risk tolerance might allow fluctuations between $800,000 and $1.2 million before triggering escalation.
CISSP Relevance
Risk appetite is a foundational concept in Domain 1 (Security and Risk Management). CISSP candidates must understand how risk appetite drives security program decisions and how risk appetite statements translate into concrete security control requirements.
External reference: NIST Glossary Risk Appetite
Related terms: Risk Management, Residual Risk