Skip to content
Log in

Risk appetite

Definition

The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing body. Risk appetite sets the threshold above which identified risks require treatment; it is expressed differently in qualitative (a rating threshold) and quantitative (a monetary ceiling) frameworks.

Related terms

ALE (Annualised Loss Expectancy)
The expected monetary loss from a specific threat over a one-year period. Calculated as: ALE = SLE x ARO (Annualised Rate of...
CISO (Chief Information Security Officer)
The senior executive responsible for developing and maintaining the information security programme. The CISO reports to the board or a board committee...
Control gap
A deficiency in the design or operation of a control that leaves a fraud scheme inadequately mitigated. Design gaps exist where no...
COSO Fraud Risk Management Guide
A framework published by the Committee of Sponsoring Organizations of the Treadway Commission that provides a methodology for identifying, assessing, and responding...
FAIR (Factor Analysis of Information Risk)
A quantitative risk framework standardised by The Open Group (Open FAIR) that decomposes risk into Loss Event Frequency and Loss Magnitude, each...
Governance, Risk, and Compliance (GRC)
An integrated discipline that combines governance structures, risk management processes, and compliance monitoring into a unified programme. GRC platforms and frameworks allow...
Inherent fraud risk
The level of fraud risk present in a business process or transaction type before any controls are applied. Scored on likelihood and...
Policy hierarchy
The layered document set that translates governance intent into operational requirements. Tiers typically run: information security policy, topic-specific policies, standards, procedures, and...
Qualitative risk assessment
A methodology that rates likelihood and impact on descriptive or ordinal scales (such as 1-5 or low/medium/high) and combines them in a...
Quantitative risk assessment
A methodology that assigns monetary values to threat scenarios using metrics such as asset value, exposure factor, SLE, ARO, and ALE. Outputs...
Residual fraud risk
The level of fraud risk that remains after existing controls are applied and operating. If residual risk exceeds the organisation's risk appetite...
Residual risk
The risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management...

Explained in these topics

  • The Fraud Risk Assessment ProcessThe amount and type of risk an organisation is willing to accept in pursuit of its objectives. In the fraud risk context, it sets the threshold above which res...
  • Risk Assessment MethodologiesThe amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing body. Risk appetite sets the thresho...
  • Risk Treatment and the Risk RegisterThe amount and type of risk an organisation is willing to accept in pursuit of its objectives, expressed by senior management or the board. Risks within appeti...
  • Security Governance Frameworks OverviewThe level and type of risk an organisation is willing to accept in pursuit of its objectives, approved by the board. The risk appetite statement sets the outer...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account