Enterprise risk management – an appetite for destruction
Risk appetite is considered the volume of risk that an organisation is willing to take in order to meet their strategic objectives. Adrian Wright, vice president of research at the UK chapter of the Information Systems Security Association, explores risk appetite in more detail.
If the title of a 1987 Guns n’ Roses album sounds an unlikely opening for a cyber security article – you are probably right. But when applied to the broader question of enterprise risk management and the need to develop a top-down risk tolerance strategy, the relevance may become clearer.
Failure by organisations to develop, communicate and monitor a suitable risk appetite strategy can lead to catastrophic business failure either way; by either accepting too much inherent risk, or conversely being too cautious and allowing the business to be overrun by spiralling governance costs and far bolder competitors.
COSO defines it thus: “Risk appetite is the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value. Each organisation pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.”
Organisations encounter risk every day as they pursue their business objectives. Senior management must therefore deal with the fundamental question of: How much risk is acceptable while pursuing these objectives? Additionally, external regulators and other bodies need to evidence organisations’ risk management processes and board oversight, which is another area of risk in itself. But not all risk is bad. Modern businesses need to innovate to compete and survive; and you cannot innovate without taking on risk. Sometimes a lot of risk. Essentially there is no longer a ‘safe path’ to stick to if you want to both stay in the game and win it.
Managing risk, managing expectations
A few years ago I attempted to open up a conversation with the board of a large multinational around risk acceptance, with the aim of striking a balance between the costs of security countermeasures versus the likely cost of any losses: thereby setting expectations around what was achievable. This endeavour fell at the first hurdle of ‘what level of per event or annualised loss is acceptable to the business?’
‘None’ came the inevitable response, thus sealing the end of that debate. Nowadays, boards cannot possibly ignore the endless tide of publicised breaches and corporate collapses that adorn the media every day, and boards now seem to have accepted the ‘not if, but when’ philosophy, which acknowledges that you can’t secure everything and therefore losses are bound to occur – no matter how much money you throw at managing risk.
Nonetheless, having that debate at a senior level and then executing an organisation‑wide programme to embed the risk appetite and risk tolerance strategy into every business process, remains a daunting task that not every business is yet prepared to embrace. Like the elephant in the room, it is often easier for the various risk management functions to just keep pushing along doing what they do while hoping for the best. Unfortunately that’s no longer enough.
Risk appetite and tolerance
Completely defending a large organisation against the onslaught of growing numbers of threats, and increasingly sophisticated attacks would require more resources than many businesses are worth, and then some. So there needs to be some conscious acceptance of risk at the strategic level, which is then fine‑tuned to each critical business function as a tactical solution to managing ongoing risks.
This is where the terms Risk Appetite and Risk Tolerance appear: the former constitutes a strategic, board sanctioned, policy message and plan; and the latter a more tactical approach to identify the most critical parts of the business operation and apply an acceptable level of risk acceptance variation each entity is willing to accept; based on the operational criticality of each function to the overall business.
Without these formal statements on risk appetite and tolerance clearly mandated, communicated and integrated across a business, it is hard to set goals and priorities or to allocate resources to best manage all forms of risk across the organisation. Yet research suggests that only around a quarter of large public and private companies have a formally articulated statement of risk appetite in place. There is a view that this absence of a formal and coherent risk appetite strategy across three-quarters of organisations is at the root of ever increasing numbers of breaches and failures in recent times. Too much gets spent securing functions and assets the business could still survive if lost; while the real Achilles heels lie relatively unprotected due to distractions elsewhere.
So, what to do? Well whatever you decide to do you cannot do it in isolation. There needs to be a will and mandate from the top which leads to federation of the various risk functions in pursuit of a set of common objectives. Education and influence are key to introducing these concepts in a way all parties will understand and buy into. Sometimes you don’t know you have a problem until someone educates you enough to see it.
So if you are natural educator and influencer who happens to be sitting in one of the risk functions in a business that’s lacking a current strategy and statement that deals with risk appetite: then you know what to do!
Adrian Wright is CEO and founder of Secoda Risk Management, vice president of Research at the ISSA-UK, and former global CISO of Reuters for eight years. Having 20 years of experience in corporate information security and technology risk, Adrian researches and consults widely on a range of security and governance issues such as cloud computing, human factors in awareness and compliance, incident management, and managing insider threats.