The Risk Appetite Settings page allows your organisation to define how much ICT risk it is willing to accept, configure the score thresholds that trigger treatment or escalation, and establish a formal review cadence. This article explains the concepts behind risk appetite, walks through every field on the settings page, and shows how your thresholds affect day-to-day risk management decisions.
Understanding Risk Appetite
Risk Appetite vs Risk Tolerance vs Risk Capacity
These three terms are often confused. Understanding the distinction is critical for configuring the settings correctly:
| Concept | Definition | Example |
|---|---|---|
| Risk Appetite | The amount and type of risk an organisation is willing to pursue or retain in order to achieve its objectives. It is a strategic-level statement. | "We accept moderate ICT risk where it enables operational efficiency." |
| Risk Tolerance | The boundaries of acceptable variation around the risk appetite. It is the range of risk the organisation can absorb before action is needed. | "Individual risks scoring up to 6 are accepted; 7–15 require treatment." |
| Risk Capacity | The maximum amount of risk the organisation can absorb before its survival is threatened. It is a structural limit. | "A single incident costing more than EUR 5M would threaten our solvency." |
In Venvera, the Risk Appetite Level sets the strategic posture, while the Acceptance Threshold and Escalation Threshold define the operational tolerance boundaries within your 5×5 risk matrix (scores 1–25).
Why Defined Thresholds Matter
Without explicit thresholds, risk treatment decisions become subjective and inconsistent. Regulators expect documented risk appetite:
- DORA Art. 6(8) requires financial entities to establish and maintain an ICT risk management framework that includes risk tolerance levels.
- NIS2 Art. 21 requires appropriate and proportionate cybersecurity risk-management measures, which implies a defined appetite to judge proportionality.
- ISO 27005 and ISO 31000 both call for risk criteria that define how risk significance is assessed and what levels require treatment.
Accessing Risk Appetite Settings
Navigate to Risk Management → Settings (gear icon on the Risk Management dashboard) or click the Risk Appetite Settings link. The page has three sections: Risk Appetite Level, Risk Thresholds, and Review & Approval.
Risk Appetite Level
The first section presents three strategic posture options. Select the one that best matches your organisation's approach:
| Level | Description | When to Use |
|---|---|---|
| Conservative (green) | Minimize risk exposure. Low tolerance for uncertainty. Strict controls across all operations. | Heavily regulated entities, critical infrastructure operators, financial institutions where even minor disruptions are unacceptable. Typically paired with low acceptance thresholds (e.g., 3–4). |
| Moderate (amber) | Balanced approach. Accept some risk for operational efficiency. Controls proportionate to impact. | Most organisations. Balances security investment with business agility. Typical acceptance threshold around 5–8. |
| Aggressive (red) | Higher tolerance. Prioritize speed and innovation over controls. Accept greater uncertainty. | Start-ups, R&D units, organisations in fast-moving markets where speed-to-market outweighs control overhead. Acceptance threshold might be 10–12. |
Threshold Configuration
Risk scores in Venvera are calculated as Likelihood × Impact on a 5×5 matrix, producing scores from 1 (lowest) to 25 (highest). Two thresholds divide this range into three action zones:
Acceptance Threshold
| Property | Value |
|---|---|
| Range | 1 – 24 |
| Default | 6 |
| Input | Slider + numeric input |
| Meaning | Risks scoring at or below this value are accepted without mandatory treatment |
Example: With an acceptance threshold of 6, a risk scoring Likelihood 2 × Impact 3 = 6 would fall into the "Accept" zone. No treatment plan is required, though the risk should still be monitored.
Escalation Threshold
| Property | Value |
|---|---|
| Range | 2 – 25 |
| Default | 15 |
| Input | Slider + numeric input |
| Meaning | Risks scoring above this value require executive escalation and board-level decision |
Example: With an escalation threshold of 15, a risk scoring Likelihood 4 × Impact 5 = 20 would require immediate escalation to senior management or the board.
25-Cell Threshold Preview
Below the threshold sliders, a visual bar displays all 25 possible risk scores (1–25) with colour-coded zones:
| Zone | Score Range | Colour | Action Required |
|---|---|---|---|
| Accept | 1 to Acceptance Threshold | Green (emerald) | Risk is within appetite. Monitor but no mandatory treatment. Document acceptance rationale. |
| Treat | Above Acceptance to Escalation Threshold | Amber | Risk requires a treatment plan. Assign controls, set target dates, and track mitigation progress. |
| Escalate | Above Escalation Threshold to 25 | Red | Risk exceeds tolerance. Requires executive or board-level decision. May need immediate action, additional investment, or risk avoidance. |
The preview updates in real-time as you adjust the sliders, letting you visualise the impact of different threshold configurations before saving. Boundary labels beneath the bar show the current acceptance and escalation values.
Review & Approval
The third section formalises the governance around your risk appetite statement:
| Field | Type | Description |
|---|---|---|
| Review Frequency | Select | How often the risk appetite should be formally reviewed. Options: Quarterly, Semi-Annual, Annual. Quarterly is recommended for organisations in rapidly changing threat environments. |
| Approved Date | Date | The date when the current risk appetite was formally approved by management or the board. This creates an audit trail showing that the appetite is actively governed. |
| Notes | Textarea | Free-text for additional context: board approval references, rationale for threshold changes, links to meeting minutes, or conditions under which the appetite should be reviewed outside the normal cycle. |
How Thresholds Affect Risk Management
Once saved, the acceptance and escalation thresholds influence how risks are treated across the platform:
Risks with a score at or below the acceptance threshold fall in the green zone. These are within the organisation's appetite and do not require a formal treatment plan. They should still be logged in the risk register and reviewed periodically. Document the acceptance rationale for each risk.
Risks scoring above the acceptance threshold but at or below the escalation threshold are in the amber zone. These require a treatment plan: assign controls, set a target residual score, define an owner, and set a review date. Track mitigation progress until the residual score falls within the acceptance zone.
Risks scoring above the escalation threshold are in the red zone. These exceed the organisation's tolerance and require executive decision-making. Options include additional investment in controls (mitigate), changing the business process (avoid), transferring the risk (insure), or in rare cases, accepting the risk with explicit board sign-off and documented rationale.
Step-by-Step Configuration
Go to Risk Management → Settings from the sidebar or dashboard.
Click one of the three appetite cards: Conservative, Moderate, or Aggressive.
Adjust the Acceptance Threshold and Escalation Threshold using the sliders or numeric inputs. Watch the 25-cell preview to visualise the zone distribution.
Select the Review Frequency and enter the Approved Date.
Document the rationale in the Notes field and click Save Settings. A success message confirms the settings have been saved.