How Hungry Are You For Risk?

Last time, I discussed the importance of adapting your cyber risk management program to your organization’s changing business context. As a reminder, COSO has 5 guiding principles and we are at the second guiding principle of Strategy and Objective Setting.  This principle is comprised of four points:

1. Analyzes Business Context

2. Defines Risk Appetite

3. Evaluates Alternative Strategies

4. Formulates Business Objectives

This week I am going to discuss a topic that challenges almost every cybersecurity leader that I speak to: Defines Risk Appetite.

COSO defines RISK APPETITE as “The types and amount of risk, on a board level, that an organization is willing to accept in pursuit of value.” Sounds simple enough, but I cannot begin to tell you how many times I have been asked about how an organization goes about defining their risk appetite, and more importantly, their cyber risk appetite.

Defining a risk appetite is necessary to risk management and how organizations communicate and react to risk. Managing risk within the boundaries of risk appetite, aka risk tolerance, should be consistently shared and addressed throughout the organization as it provides the guardrails against which to manage risk.

The terms risk appetite and risk tolerance are often mistakenly interchanged, but they are distinctly different. Risk appetite refers to how much risk an organization is willing to accept, Risk Tolerance is the variance placed around that risk appetite. For example, if your target weight is 200lbs, but you would accept weighing 190lbs – 210lbs, then that 20 lb range is your risk appetite and plus or minus 10 lbs is your risk tolerance.

Risk appetite decisions need to cascade throughout the business as risk decisions must be made at different levels or business units. This means that individual business units may have different risk appetites and risk tolerances that align to the organization’s goals. For instance, a R&D unit may tolerate more risk (fail fast, fail often) than a steady and critical revenue generating unit.

So, what does this mean from a cybersecurity risk standpoint? It means DO NOT GET LOST IN THE WEEDS. Reporting a bunch of metrics without the appropriate context is meaningless and will only prevent you from being viewed as a strategic partner.

You must be part of setting that context by defining cyber risk appetite and tolerance for your organization. Defining a cyber risk appetite is not just technical.  It requires discussions across the organization. The C-Suite, enterprise risk management, and the cybersecurity steering committee should all be involved so that cyber risk is tied into enterprise risk, which is tied into the organization’s risk appetite, and reflects your organization’s mission and values.

Here are six things you can do NOW to start defining your company’s cyber risk appetite and tolerances.

1. #1 is obvious. Conduct a cyber risk assessment. You must understand and articulate the cyber risk inventory that impacts your organization.  You must also understand the current capabilities of your cybersecurity program.

2. Evaluate ALL your requirements. Take the organization’s risk appetite as a primary input. Other inputs may include regulatory requirements, financial requirements, or operational requirements.

3. Collaborate with stakeholders across the ENTIRE organization. The cybersecurity steering committee is an excellent group to facilitate this collaboration. Take into consideration you may need to invite individuals who are not regular members of the committee to these meetings.

4. Evaluate the implications of the board-level risk appetite statement (if there is one). If there isn’t one, get involved and work with C-Suite and enterprise risk management to help define it. Some things to consider are:

   • How will your cyber risk appetite statement cascade throughout the organization?

   • Do you have to create multiple risk statements for various levels within the organization?

   • Will your cyber risk appetite statement require fundamental changes, such as the implementation of a new multi-factor authentication requirement?

5. Formulate risk tolerances to establish the parameters and required metrics to measure performance.

6. Establish a continuous process to review and update cyber risk appetite and tolerances. Ideally, this should be aligned to at least an annual cyber risk assessment.

Next time, I’ll move on to the 3rd point Evaluates Alternative Strategies.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Thank you and have a great week.