# Risk Tolerance Quantifier > Draft and validate a Cybersecurity Risk Appetite Statement (NIST CSF 2.0 GV.OC): translate board mandates into quantifiable tolerance levels and KPIs; ensure stated appetite is supported by budget narratives. Tags: NIST CSF, Governance, Risk Appetite, GV.OC, GRC ## Example Prompts - Draft a Risk Appetite Statement from our board mission and translate it into risk thresholds - Map our low tolerance for data breaches to quantitative KPIs and budget narrative - Check that our risk appetite document is consistent with our cybersecurity budget narrative URL: https://rakenne.app/skills/risk-tolerance-quantifier/index.md Try this skill: https://rakenne.app/a/?skill=risk-tolerance-quantifier ## Overview Draft and validate a Cybersecurity Risk Appetite Statement (NIST CSF 2.0 GV.OC): translate board mandates into quantifiable tolerance levels and KPIs; ensure stated appetite is supported by budget narratives. The skill’s validation tool checks that a stated "Low" risk appetite for an area (e.g. data breaches) is backed by at least "Medium" or "High" investment in the corresponding budget narrative. ## Example Conversation > **You:** We need a Risk Appetite Statement for the board and to make sure it lines up with our cybersecurity budget narrative. We have low tolerance for data breaches and downtime; compliance we treat as medium. Can you draft the statement and run the consistency check? > **Agent:** I’ll draft a Risk Appetite Statement with clear sections and risk areas (data breach, availability, compliance), then run **appetite_consistency_check** against your budget narrative. I’ll create `risk-appetite-statement.md` and use your existing `cyber-budget-2025.md` for the check. > **Agent:** I’ve added the Risk Appetite and Tolerance sections with Low for data breach and availability, Medium for compliance. Running `appetite_consistency_check` with the appetite document and the budget file… > **Agent:** Result of `appetite_consistency_check`: > > --- APPETITE vs BUDGET CONSISTENCY --- > Result: FAIL > Appetite document: risk-appetite-statement.md > Budget document: cyber-budget-2025.md > > Risk appetite statements found: 3 > Investment statements found: 4 > > - data breach: appetite Low, investment High → OK > - availability: appetite Low, investment not stated → INCONSISTENT (Low appetite should be backed by at least Medium investment) > - compliance: appetite Medium, investment Medium → OK > > Resolve inconsistencies: either raise investment descriptions for areas with Low risk appetite, or adjust stated appetite to match actual investment. > > I’ll add a short “Investment and resourcing” line under availability in the budget narrative so the check passes, then re-run. > **Agent:** I’ve updated the budget narrative to state high investment in redundancy and resilience for critical systems. Re-running the check… Result: PASS. Your Risk Appetite Statement and budget narrative are now consistent. ## Output Excerpt After the agent drafts the Risk Appetite Statement and aligns it with the budget, a typical pair looks like this. Excerpt from the appetite document: ```markdown # Cybersecurity Risk Appetite Statement (GV.OC) ## Organizational context Our mission requires continuous availability of customer-facing systems and protection of personal data. Stakeholder expectations (customers, regulators) imply low tolerance for data breaches and prolonged outages. ## Risk appetite - **Data breach / confidentiality:** Low. We do not accept avoidable exposure of customer or employee data. Zero tolerance for negligent handling; incidents must be contained and reported within defined SLAs. - **Availability / downtime:** Low. Critical systems must meet agreed RTO/RPO; unplanned downtime beyond thresholds is unacceptable. We invest in redundancy and resilience accordingly. - **Regulatory non-compliance:** Medium. We aim for full compliance; isolated, remediable gaps may be accepted temporarily with board-approved mitigation and deadlines. ## Tolerance (quantitative) - Maximum allowable unplanned downtime (critical systems): 4 hours per quarter. - Single-incident financial loss (cyber): not to exceed $X without board escalation. - Compliance findings: critical findings remediated within 30 days; significant within 90 days. ``` The budget narrative would include matching investment language (e.g. “high investment in data protection and access controls”, “significant budget for redundancy and resilience”). The consistency check passes when every Low-appetite area has at least Medium or High investment stated. ## Extension Tool and Validations The skill includes one validation tool, **appetite_consistency_check**, which runs on two files: the Risk Appetite Statement and the budget (or investment) narrative. **`appetite_consistency_check`** ensures that stated risk appetite is supported by investment levels in the budget narrative: - **Parameters** — `appetitePath`: path to the Risk Appetite Statement (Markdown or text); `budgetPath`: path to the budget narrative. - **Appetite parsing** — Looks for a section under headings such as "Risk Appetite", "Tolerance", or "Organizational context". Within that (and surrounding text), it searches for risk areas (e.g. data breach, availability, compliance, third-party risk, incident response, reputation, financial loss) and detects appetite level from nearby wording: Low (e.g. low, minimal, zero), Medium (medium, moderate), High (high, significant, substantial). - **Budget parsing** — Looks for a section under "Budget", "Investment", "Funding", or similar. It searches for the same risk areas (or close equivalents, e.g. "data protection" for "data breach") and detects investment level from context. - **Consistency rule** — For each risk area with a stated appetite: if appetite is **Low**, investment must be at least **Medium** or **High**. If investment is missing or Low, the tool reports INCONSISTENT for that area. Medium or High appetite has no minimum investment requirement. - **Result** — PASS only when every extracted appetite statement is consistent; FAIL when at least one area is INCONSISTENT or when no structured appetite statements are found. The report lists each area with appetite, investment, and OK/INCONSISTENT. Run this tool after drafting or updating either document; resolve flagged inconsistencies and re-run until the check passes. ## Getting Started Add your risk appetite draft and budget narrative to the project workspace, then activate the *Risk Tolerance Quantifier* skill. Draft or refine the Risk Appetite Statement with clear sections (e.g. "Risk Appetite", "Tolerance") and risk areas; run **appetite_consistency_check** with the two file paths. Resolve any reported inconsistencies and re-run until the check passes. --- Back to [Skill Library](https://rakenne.app/skills/index.md)