GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Determine and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization

Ex2: Translate risk appetite statements into specific, measurable, and broadly understandable risk tolerance statements

Ex3: Refine organizational objectives and risk appetite periodically based on known risk exposure and residual risk