Risk appetite - does that mean revenue loss for dinner or cost for dessert?

When we have met up with meeting colleagues in the field of security, I often hear about the challenges security professionals struggle with. Especially getting decision makers to understand and utilize the concept of risk appetite or risk tolerance. Just as often, I hear about the dilemma where decision makers don't want to take risk but also don’t want to invest in security. It can be difficult to explain precisely what risk appetite and risk tolerance is and its importance. So, to help in your discussions, I’ve highlighted some points to consider.

Why is this important?

Quite simply, when risk appetite or risk tolerance is defined in an organization, the organization can determine the best amount of cost and resources spent to reduce risk to an acceptable level. Moreover, it can help decision-makers to find the right balance between being too cautious or taking uncontrolled decisions when dealing with cyber risks.

So, what is what?

This is a topic that is discussed broadly, and I believe it is important to set the definitions straight in order not to get confused. According to the Committee of Sponsoring Organizations of the Treadway Commissions (COSO) framework for Enterprise Risk Management1, risk appetite, and risk tolerance is defined as:

Risk appetite:  "The types and amounts of risk, on a broad level, an organization is willing to accept in the pursuit of value."

Risk tolerance: "The boundaries of acceptable variation in performance related to achieving business objectives."

Risk appetite

In practice, risk appetite can be expressed in many ways but basically, it can be explained as "a level of impact a company is willing to accept". The impact is not necessarily just financial amounts but can also be, for example as "downtime for our website", "negative communication in the media" or "failure to comply with legal requirements", etc.

5 examples of risk appetite categories are:

1.       Financial loss: Top-line, or bottom-line effect (resulting in a loss-making year)

2.       Regulatory / compliance: The company or individuals facing prosecution or loss of license​, citation​ , or a major fine​

3.       Reputation / Image: ​ Up to 2 weeks of negative media attention nationally or locally

4.       Business Interruption: Long term business interruption ​(above 2 weeks)​

5.       Environmental​: Large scale environmental impact with long-term cleanup 

Within the choice of category, risk appetite expresses the level where it hurts the most, and going beyond that line is irreparable and needs to be avoided. All risk you will have in on that level should be dealt with and mitigated until you can accept the remaining risk level. The point of defining risk appetite is having this discussion.

Risk Tolerance

A way to express tolerance in a pragmatic way is to identify impact of an event, or in other words, to measure loss per event. Tolerance boundaries can be hard to measure and the effort to measure precisely often does not balance the value. Therefore, evaluate the effort in spending resources to be price over taking a simple and pragmatic approach. In the end risk management is not about certainties.

Tolerance could be an estimated system downtime measured in cost or it could be measured in time (minutes, hours, etc.). Another example for tolerance can be defining an acceptable number of major incidents per quarter.

5 examples of risk tolerance are single events surpassing the acceptable level of variation:

·         Financial loss: Top-line, or bottom-line effect per event

·         Regulatory / compliance: minor fine or a warning from authorities

·         Reputation / Image: ​ Negative information in local media ​

·         Business Interruption: short business interruption​ below one working day​

·         Environmental: Brief environmental incident with quick clean up and no environmental effect​

How can you use this?

Like so many things, the key to utilizing this with success is pragmatism. Discussions of risk appetite and risk tolerance in your organization should specifically address what is important to prioritize and what is not. For example, if your company is attacked by hackers through phishing or you are the victim of ransomware, is the worst possible impact the financial loss, or the loss of reputation lead to a greater overall loss?

A huge benefit to having a discussion and defining risk appetite and risk tolerance is that your organization can start to work more efficiently toward what really matters. You can set a clear direction to avoid spending resources on less important security issues and focus more on protecting the crown jewels of your company.

So, investigate the working culture in your organization and think about how decisions are made and how you can utilize risk appetite and tolerance in your risk management practice. Take up the topic in your board rooms and discuss this with your board members or other decision-makers. Use a pragmatic approach and discuss with your decision makers what will work and what will not work, for example how this can affect your strategist initiatives or your operational goals.

Be specific and come up with tangible examples in order to use these practices for sound decision-making. In the end, it is about being specific and practical. Avoid being too rigid, just to check the box and fit into a specific frame.

Identifying and deciding the level of risk appetite and risk tolerance is often one of the first steps in a risk management journey, and definitely, an important step to managing risks. I hope this helps you to understand the concept and get an idea of what to do next.

Bon appetite!

 

1 Committee of Sponsoring Organizations of the Treadway Commission., and PricewaterhouseCoopers LLP. 2017. Enterprise Risk Management: Integrating with Strategy and Performance. 2nd ed. Vol. 1, 2, 3. New York, New York: Committee of Sponsoring Organizations of the Treadway Commission,.