Defining your risk appetite

The Senior Responsible Owner (SRO) or suitable equivalent, must make sure risk appetite is defined and published.

When defining your risk appetite, you should consider your capability’s context as this will directly impact the level of acceptable risk.

You need to consider 3 levels of risk appetite:

1. MOD's risk appetite as found in JSP 440 Leaflet 1C.
2. Your organisation's risk appetite, for example your top-level budget.
3. Your overarching programme’s risk appetite.

Your risk appetite must not introduce risk that is unacceptable to MOD or your organisation.

Risk appetite should also be informed by the classification of information within your project.

Find out how to classify information.

A risk appetite should consider through-life activities and cover a wider range of programme decisions, not just security. A strong risk appetite statement describes the losses that are unacceptable. This helps everyone understand the risk.

Useful resources for developing a risk appetite statement include the NCSC blog.

Benefits

The benefits of defining your risk appetite are:

• helps capabilities understand the boundaries they operate in
• facilitates clear discussion about risk
• makes sure of early agreement on tolerable risk
• supports ongoing risk management efforts

Outcomes

The outcomes of a defined risk appetite:

• a risk appetite statement including unacceptable losses
• a risk appetite statement communicated to those who need to work within it

Responsibility

Who is responsible for defining your risk appetite:

• capability sponsor
• Senior Responsible Owner (SRO) or suitable equivalent
• delivery team lead
• delivery team security lead

When to define your risk appetite

You should define your risk appetite at pre-concept or concept stage and review it continually.