All the risk management measures an organization might take to address cybersecurity threats depend on one critical question: What is the organization’s risk tolerance?
Risk tolerance is a concept borrowed from investment strategy and is part of various risk assessment methodologies. Investors with high risk tolerance are willing to endure volatility in the stock market and engage in risky investments; those with a low risk tolerance are more cautious. Financial advisers make recommendations to their clients depending on each client’s tolerance of risk.
The same principles apply to cybersecurity risk management. A company’s risk appetite refers to the desired amount of risk to your data and infrastructure that the business is willing (and able) to sustain. Risk tolerance is the degree to which the company is ready to stray from those stated risk appetites to achieve other goals.
Some industries can accept a higher risk tolerance, which means their security will not be as stringent as those with lower risk tolerance. For example, risk tolerance levels will be lower if your company deals with sensitive data or is subject to strict compliance obligations.
Risk capacity is another term adopted from the investment world, but is not the same as risk tolerance. Risk tolerance is the level of risk your company is willing to accept in pursuing specific goals. Risk capacity is the amount of risk you need to get to accomplish your long-term and short-term goals.
In the financial world, high-risk investment strategies can bring higher returns. In cybersecurity, however, that’s seldom the case. So finding the right balance between risk capacity and risk tolerance will help you meet your goals without subjecting your company to unnecessary threats.
How Do You Calculate Risk Tolerance?
Knowing an organization’s risk tolerance aids in planning its risk management plan, and influences how resources are invested. For example, if an organization’s risk tolerance is low, it will invest more heavily in information security controls to protect sensitive and confidential data.
Factors Influencing Risk Tolerance
Several factors have inevitable repercussions on the risk tolerance of the companies, and these vary according to the business objectives of each.
Establish a Timeline
Each investor should make investment choices based on their time horizon. Over the long term, the market trends up. However, there is a higher risk of volatility in the short term. For example, an individual who intends to withdraw their money in 15 years can take more risk than someone who needs cash in five years.
Likewise, an organization may be in an economic or financial situation where it is more focused on liquidity. In this case, the company’s risk tolerance will be low, and the investment strategy will be more conservative.
Dimensions of Your Portfolio
The greater the portfolio’s size and diversity, the more risk-tolerant it is. A $50 million portfolio allows an investor to assume greater risk, and therefore to consider more diverse opportunities, than a $5 million portfolio. Compared to a smaller portfolio, the percentage loss in a more extensive portfolio is substantially less.
Objectives
Individuals have different financial goals and investment objectives. For many people, financial planning isn’t only about accumulating as much money as possible. Some investment decisions relate to the types of businesses an investor wants to support and less about expected returns. As a result, each person’s risk tolerance will vary depending on their personal interests and goals.
An organization with a digital transformation and cybersecurity strategy may invest heavily in new technology and will not experience high investment returns in the short term. Then again, these investment decisions aren’t meant to generate an immediate return; instead, they are driven by business objectives, long-term operational efficiencies, and avoidance of security risks.
Level of Investor Confidence
Each investor approaches risk uniquely. Some investors are naturally more willing to take risks than others. On the other hand, market volatility can be exceedingly distressing for risk-averse investors. As a result, risk tolerance is closely tied to an investor’s comfort level when taking risks.
Age
On average, young individuals should be able to take greater risks than older folks. This is because young individuals have the ability to make more money while simultaneously having more time to deal with market volatility.
Types of Risk Tolerance
Different types of risk tolerance help financial advisers, investors, and organizations determine the types of investments that are suitable for their financial situation and comfort level. These are divided into three categories: aggressive, moderate, and conservative.
Aggressive
Investors who take aggressive risks are (hopefully) well-versed in the market and are willing to take substantial chances in the pursuit of large rewards. In addition, such investors are accustomed to experiencing significant portfolio volatility. Typically, aggressive investors are wealthy, experienced, and have a diverse portfolio.
They choose asset types such as stocks with dynamic price movement. Because of the amount of risk they take, they benefit from higher returns when the market is performing well. Likewise, they may suffer significant losses when the market is underperforming. They do not panic-sell during market downturns since they are accustomed to daily market volatility.
Moderate
Moderate risk investors are less risk-tolerant than aggressive risk investors. They take some risk and often specify a maximum loss percentage. They invest in a variety of asset classes, both risky and safe. When the market is doing well, they earn less than aggressive investors but do not lose as much when it is down.
Conservative
Conservative investors take the least amount of risk in the market. They avoid hazardous assets in favor of ones they believe are the safest. They place a higher value on liquidity and preventing losses than on gaining profits. As a result, they typically invest in asset types with less volatility such as government bonds, where their capital is secured.
Businesses with High-Risk Tolerance
The benefit of higher risk tolerance is that you can be more flexible with your cybersecurity measures. That doesn’t mean you can be complacent with your risk management strategy, but you have more discretion to prioritize areas where the most protection is needed. This can save you money in the long run since you’ll have more choice about where your funds are allocated.
Businesses that either don’t process or don’t store much customer data (for example, janitorial service or commercial construction firms) can have higher risk tolerance. Your risk tolerance can also be affected by your cloud storage, the number of endpoint devices in your network, and the current configuration of your security framework.
Businesses with Low-Risk Tolerance
Businesses with low risk tolerance must be more cautious with their approach to risk management. Reasons for a lower risk tolerance could be government contracts, access to sensitive information, or trading in data that makes you a particularly attractive target for cyber thieves. Examples include defense contractors, financial firms, hospitals, and higher education.
If your company determines that your risk tolerance is low, you will have no margin for error regarding cybersecurity.
Determining Your Risk Tolerance Level
When determining your organization’s risk profile, you should consider several questions.
What Are Your Goals?
What does your past performance look like, and what does your company hope to achieve in the future? Financial goals, growth objectives, and potential mergers or IPOs are all things to consider while deciding how much risk your company can take.
What Are Your Compliance Requirements?
Do your business dealings fall under the Payment Card Industry Data Security Standard (PCI DSS) or the General Data Protection Regulation (GDPR)? Are you subject to Health Insurance Portability and Accountability Act (HIPAA) or Federal Information Security Management Act (FISMA) guidelines? If your industry, location, or size dictate compliance with a particular framework, then that framework must factor into your decision-making.
Who Needs to be Involved in the Risk Tolerance Conversation?
Your company won’t be able to determine your risk tolerance accurately without input from departments at all levels. Different team members may have different comfort levels, and it’s essential to solicit information from all of them.
What are particular risks inherent to your industry?
Do you have a complete risk assessment and internal controls strategy? For example, companies accessing or processing medical data are statistically more likely to experience attempted breaches. In addition, your company’s public profile could make you vulnerable to ransomware attacks. Consider the unique ways your company may attract risk, and plan accordingly.
Manage Risk with Reciprocity ZenRisk
Regardless of your tolerance level, your company needs a consistent strategy for managing risk. If you’re still using outdated tools to track your cybersecurity efforts, ZenRisk has the solutions you need.
ZenRisk is a unified, single-platform solution that allows you to maintain real-time monitoring of the threats that affect your company. By reducing manual effort and streamlining workflows, ZenRisk creates a clear picture of your company’s threat landscape and helps you assess, prevent, and control threats.
Schedule a demo today and see how ZenRisk can improve your company’s risk and compliance program.
