|1. Risk Appetite is amount and the type of risks that an organization is willing to take in or absorb. |
Notes (1): During the risk assessment, there will be some risk that were identified to be too expensive to mitigate or the risk likelihood is too low or a combination of both. The level of risk that an organization is willing to accept should be based on the likely consequence of a certain risk occurring.
Notes (2): Risk appetite varies from organization to organization as the level of risk that an organization is willing to take is dependence on the organization's nature of business and the executive management team managing the organization.
Notes (3): In the new ISO22301:2019, risk appetite is see as a subjective term when implementing BCM. The emphasis is to understand the point at which the impact of not resuming the activity would be unacceptable.
(Source: ISO 22301:2012 – Societal Security – Business Continuity Management Systems - Requirements) - clause 3.49
3. Total amount of risk that an organizationis prepared to accept, tolerate or be exposed to at any point in time.
(Source: British Standard BS25999-1:2006 Code of Practice for Business Continuity Management)
4. Willingness of an organization to accept a defined level of risk.
(Source: Business Continuity Institute - BCI)
(Source: ENISA - the European Network and Information Security Agency. BCM & Resilience Glossary)