In order to accommodate or determine the acceptable levels of risk, organizations must fully understand what their business is, what makes it run, and be in a position to either build operational and business recovery systems or have significant insurance in place to offset recovery.
Each of the following issues also pertains to the risk tolerance for an organization.
An organization that doesn't understand its risk tolerance is usually not prepared, security-wise. Being prepared will ensure some confidence in business continuity and business survivability. Being unprepared will almost certainly ensure business failure.
The risks should be determined, as stated previously, by first understanding the business priorities and the components that make these business practices continue.
Once this is documented, a formal impact analysis and risk assessment should be undertaken. These should be centered on the "business" objectives.
In other words, each business case should have its priorities set to make business goals, and a series of risk assessments should be used to evaluate the risks to each business entity.
Only after a reasonable risk assessment or tolerance evaluation is completed will you fully begin to identify and appreciate your security investment to protect the business. This is what CEOs and CFOs need to understand.