Chasing the chimera of zero cyber risk?
Comforting but unrealistic claims such as “we have no appetite for cyber risk” or “we aim to avoid all data breaches” may sound responsible, but they reflect a poor understanding of today’s dynamic cyber threats. Boards should instead ask a more grounded question: Has the board and management team reviewed the capabilities of the organisation to manage the (cyber) risks that it faces?[1] This question shifts the conversation from abstract ideals to an honest assessment of risk management capacity — allowing boards to balance ambition with cyber maturity and threat exposure.
What is risk appetite?
According to ISO norms[2], risk appetite is the "amount and type of risk that an organisation is willing to pursue or retain." It reflects the board’s strategic choices and sets the tone for risk-taking. For cyber risk, appetite must be informed by the organisation’s threat profile, strategy, cyber capabilities, regulatory obligations, and broader risk management practices. Your risk appetite definition can be qualitative or quantitative — but it should be actionable and support effective governance[3].
Pledging to comply with the UK Cyber Governance Code of Practice[4]?
This code positions cyber risk appetite as a central cyber governance issue. Action 3 of Principle 1 requires boards to approve their organisation’s cyber risk appetite. Three further references throughout the code reinforce its centrality to cyber strategy, assurance, and oversight. A meaningful cyber risk appetite definition should align with the broader enterprise risk framework and should be shaped with input from key stakeholders, endorsed by the board[5], and subject to regular review, monitoring, and reporting.
Join the conversation
To explore this topic in more depth, you are warmly invited to join my upcoming webinar on July 16, focusing on Principle 1 of the UK Cyber Governance Code of Practice. We will unpack the expectations around cyber risk management, including defining cyber risk appetite. This board level session will encourage conversation and exchange between peers.
Set the tone and guide the definition of cyber risk appetite from the boardroom:
1. Draw on key resources: A cyber threat profile for your sector and organisation, your strategy, your cyber maturity, and your regulatory context and your general risk management practices.
2. Foster cross-functional collaboration: Ensure technology, business, and risk executives contribute to a shared understanding of acceptable cyber risk.
3. Put your cyber risk appetite definition to work: A well-defined cyber risk appetite is a governance tool. Request your executive team to use it to guide decisions, shape policy and prioritise cyber investments.
4. Communicate with intend:
Employees, stakeholders and the wider public: Use a well phrased risk appetite statement to communicate that cyber risk is well managed.
Board: Use your cyber risk appetite definition to guide oversight, including input to your board pack, which could take the shape of a risk heatmap.
5. Monitor and adapt: Track adherence to the approved cyber risk appetite and adapt as your threat profile and your cyber maturity evolve.
By defining cyber risk appetite, boards signal strong cyber governance and leadership in shaping their organisation’s digital future.
[1] The Institute of Risk Management, Risk Appetite & Tolerance Guidance Paper, 2011, https://www.theirm.org/media/7239/64355_riskapp_a4_web.pdf
[2] ISO Guide 73:2009, Risk management vocabulary, https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:en
[3] The National Cyber Security Centre, Blog Post: Are you hungry? A two-part blog about risk appetites, 2021, https://www.ncsc.gov.uk/blog-post/a-two-part-blog-about-risk-appetites
[4] UK Government, Department for Science, Innovation & Technology, The Cyber Governance Code of Practice, 2025, https://www.gov.uk/government/publications/cyber-governance-code-of-practice/cyber-governance-code-of-practice
[5] The UK National Cyber Security Centre, Cyber Security Toolkit for Boards, Risk management for cyber security, https://www.ncsc.gov.uk/collection/board-toolkit/principle-a-risk-management/risk-management-for-cyber-security