Learning your organization's risk appetite is fundamental for establishing proper accountability for managing risk. CISOs, IT security and risk management leaders need to work with business stakeholders to determine organizational risk appetites.
- The majority of enterprises don't fully grasp what their appetite for technology risk is, leading to poor decisions about risk treatment and acceptance.
- Without a solid comprehension of evolving enterprise risk appetite, it will be impossible to properly match risk to risk treatment efficiently and effectively.
- Security and risk management leaders are challenged when engaging with business stakeholders on how to create and articulate risk appetite statements that are not too broad or too granular.
- The focus of risk appetite discussions tends to be based on quantitative risk models, which are often not workable or defensible.
Gartner recommends CISOs, IT security and risk management leaders should do the following:
- Articulate and socialize the concepts of risk appetite and risk tolerance with technology and business stakeholders.
- CISOs should engage business stakeholders in workshops to discuss the current risk landscape, possible scenarios for current and future business initiatives that may lead to excessive risk and how to assess risk prioritization.
- Create simple, practical and pragmatic risk appetite statements that are linked to business goals and risk treatment plans.