High Risk Apetite

Answer: The best approach to enlighten CEO and management staff about risk appetite is to show them evidences of potential impacts regarding risks they are willing to accept (e.g., costs related to rework, loss of production, legal fines, etc.), and how these can affect the organizations in the long term.

This article will provide you further explanation about risk appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/

Dear Rhand
Thanks for the answer. That mean risk appetite which is set by the management of a company does not depend on the nature of the business (line of business).
If an organization decides their risk appetite , can that be challenged as well. There is always a minimum amount of risk associated with all the process, people and technology, then where the line should be drawn?

Answer: Risk appetite does not depend ONLY on the nature of the business, because other aspects can affect it (e.g., cultural and technological issues).

The risk appetite can always be challenged, specially by the risk management officer, but you have to keep in mind that final decision is always up to top management (they set where the line must be drawn, depending on their perception of the risks). If you do not agree with their decision, then you have to review the data you present to them, or try to understand how they perceive risk, so you can adjust your approach or change your mind. In any case you have to be careful not to try to push your opinion too much (remember that the final decision is up to them).