CISO, use trending to analyze risk tolerance. For more than a decade, corporate boards, Risk Officers and CISOs have circled around the same refrain: we need a defined financial risk tolerance. 

It sounds neat. Measurable. Precise. But here’s the reality: most organizations have spent years talking about risk tolerance without ever landing on a number that holds up under scrutiny.

Even if you could pick a number, the truth is it won’t tell you what you need most: whether the company’s actual risk posture is shifting and why. That’s where “trending” can prove to be more useful than a static threshold.

What Trending Shows That a Threshold Cannot

A risk tolerance number is a snapshot. Trending is a story.

When you examine data year over year / side by side, it forces a cross-functional conversation and demonstrates movement over time. The point isn’t a single dollar figure, it’s the slope of the line. Imagine a bar chart with year on the x axis and $ on the y axis. Some of the datapoints worth trending:

• Operational losses and litigation fees: How much was spent fixing problems that slipped through.
• Legal reserves in escrow:  A measure of anticipated but unrealized exposure.
• Insurance coverage: Changes in policy limits or premiums often signal what insurers think of your profile.
• Revenue growth vs. expense growth: The delta between them is a proxy for business resilience, which directly affects your ability to absorb risk.

These metrics shift every year. Some sharply, some subtly. Some are may be correlated. But when you view them together, the composite trend tells a far more revealing story about your organization’s risk tolerance in practice than any one-time definition ever could.

Boards and CISOs Find More Value in Trending

1. It reflects reality, not theory. A “defined tolerance” is aspirational. Trending shows how risk is actually being absorbed or avoided in the business.
2. It drives better dialogue. Instead of arguing about what the number should be, leaders can debate why the trend is moving and what it means.
3. It builds context for decision-making. Seeing multiple metrics plotted together highlights tradeoffs, priorities, and emerging risks that wouldn’t be visible otherwise.

This Is The Logical Next Step

After years of chasing an elusive “defined tolerance,” boards and CISOs are realizing that ‘trending’ is the evolution of the Risk Discussion and drives an elevated and more efficient engagement.

It’s not about abandoning rigor. It’s about focusing on what the data is showing. Is your organization is getting more or less risk-averse and are the stakes increasing or diminishing. The trajectory (either way) should inform strategic / operational direction.

The other benefit of trending is that the conversation shifts from “did we pick the right number?” to “what story are these trends telling us, and what should we do next?”

If a defined tolerance is a line in the sand, then trending is a compass. In matters of digital risk, CISOs and boards will value the compass more.