New ideas sprout up at organizations daily. Marketing wants to implement machine learning to anticipate customer behaviors. The shared services department is excited to use advanced robotics to automate processes. Before either moves forward, their organization must determine if the ideas fall within an acceptable range of risk. For companies with a defined technology risk appetite, this is straightforward business decision.
“If you don't know your risk appetite, you aren't really managing your risks,” said Jeffrey Wheatman, research vice president at Gartner, during the Gartner Security and Risk Management Summit 2018 in National Harbor, MD. “But, if you have no risk, you have no business.”
Create a risk appetite statement
“A risk appetite is a general statement about how much risk your organization seeks as part of normal business operations,” Wheatman explained. Before you create the statement, you and your team should have several critical discussions:
- Explain the risk concepts. Clarify terminology and taxonomy and cover the purpose, process and payoff expected of the risk appetite statement.
- Validate the business case for risk appetite. Confirm the state of your risk management and the support needed to undertake a risk appetite project.
- Assess business stakeholder perspective. Have participants convey their views on their preferred risk-taking posture and build a consensus on the appetite for risk in light of the organization’s risk philosophy.
- Confirm and plan go-forward actions. Identify roles and responsibilities, set timelines and define critical success factors.
It’s vital that all stakeholders be included in the discussion. This includes: the board of directors and board of trustees; senior business leaders; other senior security and risk leaders, such as chief risk officers; and project leads. The boards have the authority to sign off and enforce accountability. The business leaders can help you identify and understand business-specific risk levels, which can vary depending on the business focus and activities.
Next, follow these five steps to create your risk appetite statement:
- Understand your organization’s strategic goals and objectives.
- Develop a risk appetite scale from zero (not willing to accept any risk despite potential opportunities or benefits) to high (willing to accept significant risk equal to the possible benefits).
- Engage with senior leadership and make sure your technology risk appetite is linked to the enterprise wide risk appetite and to your organization’s objectives
- Use common language. The statement must be easy to understand and put into action.
- Develop prioritization processes and tools. Recognize that you might be able to implement right away.
After you’ve finalized your risk appetite statement, determine how to best communicate it. One of Wheatman’s recommendations included using three questions that Gartner uses to empower CISOs to adapt to old and new security challenges:
- What is important?
- What is dangerous?
- What is real?
Discuss the answers to each and highlight the point of intersection. Anything that falls outside of that intersection is outside of your technology risk appetite.
“Don’t spend too much time on details,” said Wheatman. “This is a broad and often inexact work product. But it’s better than flipping a coin, which is what you’re doing if you don’t know how much risk is the right amount for your organization."