Risk Tolerance Quantifier

NIST CSF Governance Risk Appetite GV.OC GRC

Overview

Draft and validate a Cybersecurity Risk Appetite Statement (NIST CSF 2.0 GV.OC): translate board mandates into quantifiable tolerance levels and KPIs; ensure stated appetite is supported by budget narratives. The skill’s validation tool checks that a stated “Low” risk appetite for an area (e.g. data breaches) is backed by at least “Medium” or “High” investment in the corresponding budget narrative.

Example Conversation

You: We need a Risk Appetite Statement for the board and to make sure it lines up with our cybersecurity budget narrative. We have low tolerance for data breaches and downtime; compliance we treat as medium. Can you draft the statement and run the consistency check?

Agent: I’ll draft a Risk Appetite Statement with clear sections and risk areas (data breach, availability, compliance), then run appetite_consistency_check against your budget narrative. I’ll create risk-appetite-statement.md and use your existing cyber-budget-2025.md for the check.

Agent: I’ve added the Risk Appetite and Tolerance sections with Low for data breach and availability, Medium for compliance. Running appetite_consistency_check with the appetite document and the budget file…

Agent: Result of appetite_consistency_check:
— APPETITE vs BUDGET CONSISTENCY — Result: FAIL Appetite document: risk-appetite-statement.md Budget document: cyber-budget-2025.md
Risk appetite statements found: 3 Investment statements found: 4
data breach: appetite Low, investment High → OK
availability: appetite Low, investment not stated → INCONSISTENT (Low appetite should be backed by at least Medium investment)
compliance: appetite Medium, investment Medium → OK
Resolve inconsistencies: either raise investment descriptions for areas with Low risk appetite, or adjust stated appetite to match actual investment.
I’ll add a short “Investment and resourcing” line under availability in the budget narrative so the check passes, then re-run.

Agent: I’ve updated the budget narrative to state high investment in redundancy and resilience for critical systems. Re-running the check… Result: PASS. Your Risk Appetite Statement and budget narrative are now consistent.

Output Excerpt

After the agent drafts the Risk Appetite Statement and aligns it with the budget, a typical pair looks like this. Excerpt from the appetite document:

# Cybersecurity Risk Appetite Statement (GV.OC)

## Organizational context

Our mission requires continuous availability of customer-facing systems and protection of personal data. Stakeholder expectations (customers, regulators) imply low tolerance for data breaches and prolonged outages.

## Risk appetite

- **Data breach / confidentiality:** Low. We do not accept avoidable exposure of customer or employee data. Zero tolerance for negligent handling; incidents must be contained and reported within defined SLAs.
- **Availability / downtime:** Low. Critical systems must meet agreed RTO/RPO; unplanned downtime beyond thresholds is unacceptable. We invest in redundancy and resilience accordingly.
- **Regulatory non-compliance:** Medium. We aim for full compliance; isolated, remediable gaps may be accepted temporarily with board-approved mitigation and deadlines.

## Tolerance (quantitative)

- Maximum allowable unplanned downtime (critical systems): 4 hours per quarter.
- Single-incident financial loss (cyber): not to exceed $X without board escalation.
- Compliance findings: critical findings remediated within 30 days; significant within 90 days.

The budget narrative would include matching investment language (e.g. “high investment in data protection and access controls”, “significant budget for redundancy and resilience”). The consistency check passes when every Low-appetite area has at least Medium or High investment stated.

Extension Tool and Validations

The skill includes one validation tool, appetite_consistency_check, which runs on two files: the Risk Appetite Statement and the budget (or investment) narrative.

appetite_consistency_check ensures that stated risk appetite is supported by investment levels in the budget narrative:

Parameters — appetitePath: path to the Risk Appetite Statement (Markdown or text); budgetPath: path to the budget narrative.
Appetite parsing — Looks for a section under headings such as “Risk Appetite”, “Tolerance”, or “Organizational context”. Within that (and surrounding text), it searches for risk areas (e.g. data breach, availability, compliance, third-party risk, incident response, reputation, financial loss) and detects appetite level from nearby wording: Low (e.g. low, minimal, zero), Medium (medium, moderate), High (high, significant, substantial).
Budget parsing — Looks for a section under “Budget”, “Investment”, “Funding”, or similar. It searches for the same risk areas (or close equivalents, e.g. “data protection” for “data breach”) and detects investment level from context.
Consistency rule — For each risk area with a stated appetite: if appetite is Low, investment must be at least Medium or High. If investment is missing or Low, the tool reports INCONSISTENT for that area. Medium or High appetite has no minimum investment requirement.
Result — PASS only when every extracted appetite statement is consistent; FAIL when at least one area is INCONSISTENT or when no structured appetite statements are found. The report lists each area with appetite, investment, and OK/INCONSISTENT.

Run this tool after drafting or updating either document; resolve flagged inconsistencies and re-run until the check passes.

Getting Started

Add your risk appetite draft and budget narrative to the project workspace, then activate the Risk Tolerance Quantifier skill. Draft or refine the Risk Appetite Statement with clear sections (e.g. “Risk Appetite”, “Tolerance”) and risk areas; run appetite_consistency_check with the two file paths. Resolve any reported inconsistencies and re-run until the check passes.