June 06, 2018
June 06, 2018
Contributor: Jill Beadle
CISOs who define their technology risk appetite will optimize business performance, improve risk management processes and better meet external stakeholder expectations.
New ideas sprout up at organizations daily. Marketing wants to implement machine learning to anticipate customer behaviors. The shared services department is excited to use advanced robotics to automate processes. Before either moves forward, their organization must determine if the ideas fall within an acceptable range of risk. For companies with a defined technology risk appetite, this is straightforward business decision.
“If you don't know your risk appetite, you aren't really managing your risks,” said Jeffrey Wheatman, research vice president at Gartner, during the Gartner Security and Risk Management Summit 2018 in National Harbor, MD. “But, if you have no risk, you have no business.”
“A risk appetite is a general statement about how much risk your organization seeks as part of normal business operations,” Wheatman explained. Before you create the statement, you and your team should have several critical discussions:
It’s vital that all stakeholders be included in the discussion. This includes: the board of directors and board of trustees; senior business leaders; other senior security and risk leaders, such as chief risk officers; and project leads. The boards have the authority to sign off and enforce accountability. The business leaders can help you identify and understand business-specific risk levels, which can vary depending on the business focus and activities.
Next, follow these five steps to create your risk appetite statement:
After you’ve finalized your risk appetite statement, determine how to best communicate it. One of Wheatman’s recommendations included using three questions that Gartner uses to empower CISOs to adapt to old and new security challenges:
Discuss the answers to each and highlight the point of intersection. Anything that falls outside of that intersection is outside of your technology risk appetite.
“Don’t spend too much time on details,” said Wheatman. “This is a broad and often inexact work product. But it’s better than flipping a coin, which is what you’re doing if you don’t know how much risk is the right amount for your organization."
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
*Note that some documents may not be available to all Gartner clients.