R45 — Risk Appetite & Strategy Gap (NIST CSF GV.RM)

Q: How do security teams mitigate Risk Appetite & Strategy Gap (NIST CSF GV.RM)?

In CISO Game, Risk Appetite & Strategy Gap (NIST CSF GV.RM) is reduced by Awareness (40%), Prevention (30%), Detection (10%), Response (10%) subscores. Real-world programs use the same control families, with category investments such as Risk Appetite & Strategy Program, Board Oversight & Reporting program, Continuous Control Monitoring.

Q: Why does Risk Appetite & Strategy Gap (NIST CSF GV.RM) matter to a CISO?

Severity 6 (Moderate). Risk appetite & strategy gap is the governance failure where the program runs without a written, board-approved statement of how much risk the company is willing to accept. NIST CSF 2.0's Govern function (GV.RM) explicitly requires this; without it, every program decision becomes ad-hoc and every board conversation re-litigates principles.

Stress-test Risk Appetite & Strategy Gap (NIST CSF GV.RM) in the Post-incident recovery scenario You took the job because the previous CISO was fired after a breach.

Start playing →

R45 Governance Severity 6 · Moderate Residual offset +5

No documented risk appetite, no board-approved strategy linking risks to controls. NIST CSF 2.0 GV.RM. Auditors view this as a governance failure that cascades into every other GOVERN sub-category.

What is Risk Appetite & Strategy Gap (NIST CSF GV.RM)?

No documented risk appetite, no board-approved strategy linking risks to controls. NIST CSF 2.0 GV.RM. Auditors view this as a governance failure that cascades into every other GOVERN sub-category. CISO Game tracks this as R45 in the live risk register, severity 6 (Moderate), category Governance.

How does CISO Game model Risk Appetite & Strategy Gap (NIST CSF GV.RM)?

Exposure for R45 runs from 0 to 100, recomputed live as you buy, cancel, or reassign products. How the exposure model works →

Real-world parallel

Risk appetite & strategy gap is the governance failure where the program runs without a written, board-approved statement of how much risk the company is willing to accept. NIST CSF 2.0's Govern function (GV.RM) explicitly requires this; without it, every program decision becomes ad-hoc and every board conversation re-litigates principles.

How do security teams mitigate Risk Appetite & Strategy Gap (NIST CSF GV.RM)?

The dominant subscore levers for this risk are:

Awareness subscore — weight 40%
Prevention subscore — weight 30%
Detection subscore — weight 10%
Response subscore — weight 10%

Residual offset: +5 exposure points are structural — no product fully removes them. Real-world parallels: zero-day windows, vendor monoculture, regulator unpredictability.

Which investments mitigate Risk Appetite & Strategy Gap (NIST CSF GV.RM)?

Products in CISO Game that reduce exposure to R45:

Which related risks should you also watch?

Risks with similar dominant subscores or shared category — addressing one often helps the others:

Why does Risk Appetite & Strategy Gap (NIST CSF GV.RM) matter to a CISO?

Governance risk is the structural risk that lives in audits, attestations, and board reporting. Risk Appetite & Strategy Gap (NIST CSF GV.RM) is the kind of risk that lands a CISO in front of a regulator regardless of how well their controls actually work.

How can you test your mitigation strategy?

Click Play CISO Game free to see R45 appear live in your risk register and watch each purchase move the exposure number in real time. No signup required.

Stress-test Risk Appetite & Strategy Gap (NIST CSF GV.RM) in the Post-incident recovery scenario →