Mukul Pareek, CISA, ACA, AICWA, PRM
As a risk manager, knowing the organization’s risk appetite means knowing how much risk the organization is comfortable bearing. In the financial world, risk appetite is almost always expressed explicitly, in the form of value-at-risk limits, and limits on concentration risk, counterparty exposures, liquidity, leverage and so on. This explicit expression takes the form of money units—dollars and cents, for example—making everything fairly objectively measurable and reportable.
For risk managers responsible for operational risk, such explicit statements of risk appetite are difficult to enunciate. Risk, in these contexts, is often measured in terms of being high, medium or low, or a similar subjective scale, with a great deal of reliance on the risk manager’s judgment.
Risk appetite then takes a loosely accepted understanding that the highest-rated risk factors are to be addressed first, but without clearly stating if they are either acceptable or unacceptable for the organization to hold. This is in stark contrast to thresholds for financial risk, where breaching a limit requires almost immediate risk reduction with escalation and communication happening automatically.
For the technology risk manager, the challenge is similar in that clear boundaries for the extent of information-systems-related risk that management is willing to keep are undefined. Explicit statements of risk appetite rarely exist. Decisions on whether to live with a risk or mitigate it are largely based on judgment and, often, on what resourcing and budgetary situations permit in any particular situation. Knowing the organization’s risk appetite means being clearly aware of the nature and kinds of risk that are acceptable, those that are unacceptable, and those that are acceptable only after executive review and approval.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk appetite as “the amount of risk, on a broad level, that an organization is willing to accept in pursuit of value.”1 ISACA defines risk appetite in a similar way as being “the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.”2 However, because the amount of risk is not a discrete threshold against which a technology risk manager can objectively evaluate individual findings or the risk, a formal approach that states the risk appetite in terms of the risk actually encountered needs to be developed.
Articulating the risk appetite involves setting the standard against which assessed risk is compared with a view to making a decision on avoiding, mitigating or holding risk. But, as ISACA’s definition of risk appetite states, risk appetite has relevance only within the context of the organization’s mission. The risk that would be acceptable for an organization focused on increasing market share would be different from one that places a higher priority on protecting reputation, which, in turn, would be different from an organization that seeks to provide superior customer service. The business managers involved in codeveloping and setting the risk appetite need to be those whose responsibilities relate directly to the organization’s mission and whose business processes IT supports.
Of course, an organization may have multiple objectives, not all of which are equally important. In fact, defining, communicating and gaining acceptance for an explicitly stated risk appetite from business managers can be a great engagement opportunity for the risk manager. Resourcing and funding discussions can also benefit from a focus on whether a given risk exposure is above or below the risk appetite.
So how does one express risk appetite? A lazy way may be to relate it to the results of risk assessments. For example, one could express risk appetite as a simplistic statement saying that the organization is comfortable living with risk rated medium or low, but not with risk rated high or critical. The trouble with this approach is that it lacks clarity and specificity, and, therefore, it is open to challenges by business managers and technologists alike. It is not specific because it focuses on a rating that is one level removed from the risk itself and, as an abstraction of the seriousness of the underlying issue, represents the technology risk manager’s perspective, which may not be shared by others.
A formal statement of risk appetite should establish the objective scale against which the risk could be measured and compared, and the risk rating determined thereafter. The formal statement of risk appetite could then provide the rationale as to why a particular rating is assigned to a finding, as opposed to the rating determining if the finding falls outside of the acceptable risk threshold.
Risk ratings and rankings are widely used in organizations, yet countless hours spent arguing with auditees on why something should be high instead of medium (or the other way around where the auditee has a self-interest in pushing a pet project) illustrate that such assessments make auditees miss the risk perspective. Further, risk ratings are often disconnected from the organization’s purpose and are difficult to act upon, as senior management may not sponsor the efforts required to remediate or address the risk factors classified in this manner. For this reason, issues and findings, even those rated high, tend to live on far longer than they should. Therefore, using risk ratings as the surrogate for expressing risk appetite is not a good idea. This does not mean that the risk rating is no longer relevant, only that it follows and uses the results from a measurement against the statement of risk appetite as one of the inputs in its determination.
Explicitly setting the risk appetite allows the risk manager to state with clarity and authority which kinds of risk are acceptable and which are not. It is then possible to hold accountable groups that are responsible for addressing risk that goes beyond the organization’s risk appetite. Decisions are also less open to organizational debate because issues are being measured against agreed criteria, as opposed to being assigned a risk rating that needs to be continually justified and defended.
So how does a statement of risk appetite manifest itself in a practical way? Is it a lofty statement of good intentions that is high on the acceptance scale, but low in implementation quality? Or is it so detailed that it includes every possible risk that exists in an organization’s risk universe? A high-quality statement of risk appetite is probably somewhere in the middle. One way to think about it would be to consider the ways a risk would be realized, and then think about the classifications, attributes or characteristics that the risk realization paths bear. Risk appetite can then be expressed in statements that are clear, are stated in a way that supports protecting the achievement of business objectives and are agreed to by senior management.
Figure 1 provides examples of statements of risk appetite stated in binary terms as being acceptable or not. The examples focus on cybersecurity risk, though the analogy may be extended to other kinds of IT risk, of which cybersecurity risk is a subset. As organizations mature, these statements of risk appetite may be explicitly tied to operational and financial performance objectives. That linkage is not demonstrated in the examples provided in figure 1 for reasons of brevity, and it is assumed that if a risk is unacceptable, it is because it impacts the organizational objective in an unacceptable manner.
In the same way, risk appetite could be stated for other technology risk issues; for example, whether or not an IT general control weakness qualifies as a material deficiency could provide the test for the risk being acceptable or unacceptable.
Over time, the simplistic risk appetite statements may need to develop into more complex and better stated frameworks that include a number of different, related elements:
Understanding the need to ascertain and express risk appetite is a task of self-discovery for any organization. It helps crystallize the organization’s true attitude toward risk and forces a hard look by senior management at how far it is willing to let the organization walk on the technology risk plank. Risk appetite should answer the question as to which risk factors the organization is comfortable bearing and which it is not. It should transform risk discussions by making irrelevant the likely different interpretations of what is acceptable to live with each time a risk assessment or audit is performed.
To summarize, the following points are worth keeping in mind:
1 Rittenberg, Larry; Frank Martens; Thought Leadership in ERM, Enterprise Risk Management, Understanding and Communicating Risk Appetite, The Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2012, www.coso.org/documents/ERM-Understanding%20%20Communicating%20Risk%20Appetite-WEB_FINAL_r9.pdf 2 ISACA, Glossary, Risk Appetite, www.isaca.org/glossary
Mukul Pareek, CISA, ACA, AICWA, PRM, is a risk professional based in New York, USA. Pareek is the copublisher of the Index of Cyber Security (cybersecurityindex.org) and the author of a risk education web site, www.RiskPrep.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.