Develop Your Technology Risk Appetite

CISOs who define their technology risk appetite will optimize business performance, improve risk management processes and better meet external stakeholder expectations.

New ideas sprout up at organizations daily. Marketing wants to implement machine learning to anticipate customer behaviors. The shared services department is excited to use advanced robotics to automate processes. Before either moves forward, their organization must determine if the ideas fall within an acceptable range of risk. For companies with a defined technology risk appetite, this is straightforward business decision.  

“If you don’t know your risk appetite, you aren’t really managing your risks,” said Jeffrey Wheatman, research vice president at Gartner, during the Gartner Security and Risk Management Summit 2018 in National Harbor, MD. “But, if you have no risk, you have no business.”

Create a risk appetite statement

“A risk appetite is a general statement about how much risk your organization seeks as part of normal business operations,” Wheatman explained. Before you create the statement, you and your team should have several critical discussions:

  • Explain the risk concepts. Clarify terminology and taxonomy and cover the purpose, process and payoff expected of the risk appetite statement.
  • Validate the business case for risk appetite. Confirm the state of your risk management and the support needed to undertake a risk appetite project.
  • Assess business stakeholder perspective. Have participants convey their views on their preferred risk-taking posture and build a consensus on the appetite for risk in light of the organization’s risk philosophy.
  • Confirm and plan go-forward actions. Identify roles and responsibilities, set timelines and define critical success factors.

It’s vital that all stakeholders be included in the discussion. This includes: the board of directors and board of trustees; senior business leaders; other senior security and risk leaders, such as chief risk officers; and project leads. The boards have the authority to sign off and enforce accountability. The business leaders can help you identify and understand business-specific risk levels, which can vary depending on the business focus and activities.

Read More: Gartner Keynote: Scale IT Security to Build Trust and Resilience

Next, follow these five steps to create your risk appetite statement:

  1. Understand your organization’s strategic goals and objectives.
  2. Develop a risk appetite scale from zero (not willing to accept any risk despite potential opportunities or benefits) to high (willing to accept significant risk equal to the possible benefits).
  3. Engage with senior leadership and make sure your technology risk appetite is linked to the enterprise wide risk appetite and to your organization’s objectives
  4. Use common language. The statement must be easy to understand and put into action.
  5. Develop prioritization processes and tools. Recognize that you might be able to implement right away.

Design a Data and Analytics Strategy

Advance your organization's strategy by communicating the business value of data and analytics.

Download eBook

After you’ve finalized your risk appetite statement, determine how to best communicate it. One of Wheatman’s recommendations included using three questions that Gartner uses to empower CISOs to adapt to old and new security challenges:

  1.      What is important?
  2.      What is dangerous?
  3.      What is real?

Discuss the answers to each and highlight the point of intersection. Anything that falls outside of that intersection is outside of your technology risk appetite.

“Don’t spend too much time on details,” said Wheatman. “This is a broad and often inexact work product. But it’s better than flipping a coin, which is what you’re doing if you don’t know how much risk is the right amount for your organization.”

More information on security and risk management is available in the Gartner Special Report “The Resilience Premium of Digital Business: A Gartner Trend Insight Report.” This collection of research focuses on how committing to resilience will equip a digital business with the mindset, resources and planning to recover from inevitable disruptions.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching