Skip to content
FortaRisks
Back to the glossaryGovernance and risk management

Risk appetite

Risk appetite is the level of risk an organization is willing to take to achieve its objectives. Defined by leadership, it acts as a compass: it indicates which risks to reduce first, which to tolerate, and frames security decisions so you neither overdo nor underdo it.

Updated on July 2, 2026

What is risk appetite?

Risk appetite expresses the amount and type of risk an organization is willing to accept in pursuit of its objectives. It is a governance decision: it translates a strategic stance into a reference point that then guides all risk-treatment decisions.

No organization can, or should, aim for zero risk: that would be paralyzing and ruinous. Risk appetite embraces this fact and formalizes it, rather than leaving it to each person's implicit judgment.

Why it matters for your organization

Without a defined risk appetite, security sails without a heading: you over-invest in minor risks out of caution and neglect others out of habit. An explicit appetite aligns trade-offs on a common intent, decided at the top.

It is also what lets you say no in a defensible way. Accepting a risk becomes a conscious, documented decision, not an oversight. Conversely, a risk that exceeds the appetite triggers mandatory action.

How to put it into practice

  • State the appetite in clear terms, at the leadership level.
  • Break it down into concrete tolerances by domain or activity.
  • Link it to the risk map to place each risk against the accepted threshold.
  • Review it when strategy, context or threat evolves.

Where organizations most often fall short

The most common pitfall is stating a risk appetite theoretically, in a document, without ever using it to decide. An appetite that guides no real decision is mere window dressing. The other mistake is leaving it to technical teams alone, when it is a governance decision.

Frequently asked questions

What is the difference between risk appetite and risk tolerance?

Risk appetite is the general direction, set at the strategic level: how much risk the organization is willing to bear. Risk tolerance is more operational: the concrete limits, by domain or activity, not to be exceeded. Appetite sets the heading, tolerance draws the boundaries.

Who defines risk appetite?

It is a responsibility of leadership and, often, the board. Cybersecurity cannot set the acceptable level of risk on its own: it is a governance decision that balances security, cost, agility and business objectives. Technical teams then apply it.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.