As a precursor to establishing an effective risk management program, a firm needs to determine its risk appetite. This can be done using a baseline analysis that accounts for a combination of threats, vulnerabilities, consequences, and readiness.
It’s interesting to note that often a company’s appetite for risk doesn’t match its actual exposure. In other words, companies are often unaware that their risk exposure is significantly greater than their actual tolerance for that risk.
Assessments, training, and exercises are all excellent ways to expose those gaps and establish focus points for adjusting your firm’s security posture to align with its risk appetite.