@ISACA Volume 10  17 May 2017

Defining Risk Appetite


The objective of risk management is to reduce an organization’s risk so that it is below an acceptable level. This acceptable level is decided based on the organization’s risk appetite and the tolerance for a particular risk.

Risk appetite is the amount that an organization is willing to lose in case a risk materializes or a project fails. Risk appetite varies for different organizations depending on their industry sector, culture, spread, size and objectives. The risk appetite of an organization changes over time.

The following example explains the concept of risk appetite. Nick Leeson’s adventures in money and security markets resulted in the loss of US $1.3 billion for Barings Bank; as a result, the bank went out of business. Similar activities by Jerome Kerviel in Societe Generale resulted in the loss of US $7 billion; however, the bank survived and continued to do business. In other words, Societe General had a higher risk appetite than that of Baring’s Bank.

Another benefit of an organization defining its risk appetite is that when management considers investments in new projects, different risk scenarios for the project can be evaluated to try to answer the question, “If a project fails, the organization may lose its entire investment. Can the organization afford it?” This affordability is decided by the organization’s risk appetite, yet only 26% of organizations have a defined risk appetite statement.

An organization’s risk appetite statement is an important part of the enterprise risk management framework and must be aligned with business strategy. The risk appetite should be expressed in quantitative measures; however, it can also include qualitative statements. The risk appetite of the organization depends on the risk culture of the organization.

Defining risk appetite is the board of directors’ responsibility, and when doing so, the board should consider the following aspects:

  • Board and management judgment about risk materializing
  • Total earnings of the organization and equity capital, which decide the upper limit
  • Compliance requirements, particularly legal and regulatory
  • Level of achievement of business objectives and impact of risk on them
  • Stakeholder expectations from the organization
  • Historical data and experience on risk materialization
  • Risk scenario analysis

In addition, the following aspects must be part of the enterprise risk management (ERM) framework, which will ensure the effectiveness of risk appetite and, hence, the risk management process, which includes:

  • Developing a common understanding and taxonomy for risk at the board, management and business levels
  • Conducting risk awareness and building the desired risk culture
  • Aligning business strategy with risk management, which will provide a mapping between financial aspects and risk response action plans
  • Assessing and reporting the risk profile to ensure that residual risk is within acceptable limits
  • Developing key risk indicators (KRIs), key performance indicators (KPIs) and a monitoring process
  • Understanding stakeholders’ expectations about value creation, risk optimization, security and economic sustainability

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Explore Current Issues in Security at CISO Forums


Chief information security officers (CISOs) are invited to participate in ISACA’s CISO Forums, which take place at the Cybersecurity Nexus (CSX) North America Conference, the CSX Asia Pacific Conference and the CSX Europe Conference. These 30-person forums will provide an opportunity for CISOs to share knowledge and insights on threat intelligence and the experiences and challenges organizations face in security. Attendees may claim continuing professional education (CPE) hours by attending these forums. Those who participate in a forum will also have free registration for the CSX Conference.

The CISO Forum agenda is flexible and topics that attendees are interested in will be prioritized. ISACA has launched its new CSX Training Platform, and forum attendees will be some of the first in their field to gain a month of free access to the platform. The full-day forums also give participants the opportunity to network with other CISOs.

To learn more about the CISO Forum, visit the CSX North America or Europe CISO Forum pages of the ISACA website.


Discover New Opportunities With a CISM

Ross Foley, CISM, Senior Manager of Cyber Security at PwC, Shares His Experience as a CISM

Having a Certified Information Security Manager (CISM) certification has given Ross Foley the chance to explore new places and discover new opportunities. “On a professional level, one of my key goals is to always try new things and grasp new opportunities, as you never know where they will lead,” he says. “Obtaining my CISM has been a fantastic catalyst for a host of new experiences, from working on 2 ISACA working groups in Chicago with other CISMs from all over the world, to speaking at local ISACA and other security events. On a personal level, these experiences have given me far greater self-confidence and definitely broadened my horizons.”

In addition to the security-related knowledge needed for his role, the CISM certification also provided Foley with other valuable career skills. “A lot of the skills that make up the CISM are not specific to information security. It taps into your leadership skills, your negotiating skills and your decision-making ability at a time of crisis or stress,” he says. “These are all things that we all constantly draw on in both our professional and personal lives.”

Foley knows that security is always changing. This change can be challenging, but being able to help people in a time of need makes these challenges worth it. “The best part of my current role is the variety and the challenge that it brings. No 2 days are the same and the security landscape is moving as fast as ever, with new challenges and exciting new breakthroughs all the time,” he observes. “Also, in the security world, you are often helping your clients at some of their most difficult times, and it is a great feeling knowing that you and your team have really helped turn things around when something has gone wrong.”

The CISM certification and his ISACA involvement have helped Foley professionally and they have also helped Foley experience one of his major passions—sports. “When visiting a new city on business, I always try to travel early over the weekend or even take an extra day’s leave to try and experience some of the city and culture outside of work,” he says. “I have been lucky enough to make it to a Chicago White Sox baseball game on my last trip to ISACA headquarters and I hope to get squeeze in a Chicago Bulls basketball game or Chicago Blackhawks hockey game next time!”

To learn more about ISACA certifications, visit the Certification page of the ISACA website.