It might seem strange to refer to a component of your cyber risk management plan as an “appetite” – but defining your organization’s appetite for risk is indeed part of risk management, and an important one.
Put simply, risk appetite is the level of risk your organization will accept in your business proceedings, and what you plan to do about those risks. This includes any risk-taking needed to meet your success metrics, as well as the risk management you have in place to protect against those threats.
A risk appetite statement puts those decisions in writing, tying them to your broader business objectives. It’s a living document, critical to risk management since it helps to establish parameters and priorities for your policies, procedures, and internal controls.
How Do You Write a Risk Appetite Statement?
First, a CISO should never make major risk management decisions alone. You should assemble key stakeholders and senior management from across different departments within your organization to help you evaluate goals. These conversations will guide your continued risk management even after your initial risk appetite statement is drafted.
Once you have your team together, decide on shared terms to keep the document concise and unified. Different groups may have different internal vocabulary for the same business objective, and you’ll want to be sure everyone speaks with a common language for a smooth decision-making process.
You’ll need to prioritize strategic objectives in relation to risk tolerance and success metrics across your organization. You may have already done this if you’ve recently completed your regular cyber risk assessment. You can look at your risk profiles within that assessment to get an idea of how to proceed. Additionally, consider strategic risks that may not have directly been addressed in your prior assessment: what risk tolerance does your company have for losses from failed business decisions?
One way to categorize your operational risks is to assign them different risk profiles. This may come naturally via prioritization, but if you need an example, you can look to the U.S. Agency for International Development’s (USAID) 2018 risk appetite statement.
USAID breaks things down into risk categories including:
- Programmatic
- Fiduciary
- Reputational
- Legal
- Security
- Human capital
- Information technology
USAID then assigns each category an “overall risk appetite,” ranging from high to low, which you can see in greater detail in USAID’s risk appetite statement. Each category has a risk profile and smaller breakdowns by operational risk. Then USAID lists relevant regulators and internal controls for risk management.
Of course, this is only one type of risk appetite statement. Your risk managers should spend time reviewing exemplary statements together. This post contains a few examples to get you started, which you can see below.
Examples of Risk Appetite Statements
USAID has a thorough risk statement that is worth reading as a primer for what an extensive appetite statement can encompass. For example, from the 2018 statement:
“We have a MEDIUM risk appetite with regard to: Implementing long-term strategic focus in our country programs. We will set priorities and implement long-term strategic focus in our country programs based on rigorous analysis and collaboration with key stakeholders to achieve more effective results. We will also continually balance this with our obligation to implement initiatives, directives and/or priorities from Congress and the interagency not foreseen during the strategy development process.”
In this example, the agency clearly states the level of risk appetite for a specific instance. You can see in the document itself how the agency breaks down associated risks for each category, including mitigation techniques for those smaller subcategories.
Another example of a risk appetite statement comes from the Office of the Comptroller of the Currency (OCC), a regulator for retail and community banks in the United States:
“The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology.”
Note in this example how it’s possible to have “no appetite” for a certain type of risk. In this instance, it makes sense that an organization dedicated to ensuring the safety and security of financial institutions doesn’t want to take any chances with information systems and confidential data.
On the other hand, the OCC is willing to take some risks to develop improved systems and to try innovative technology to meet user demand. Its mitigation technique for this moderate appetite is to think through decisions for new programs via their organization’s governance.
ZenRisk and Your Risk Appetite Statement
Risk-taking is a key part of success for many businesses, and is not something to be avoided. That does not mean you have to tolerate an amount of risk beyond your decided acceptable levels.
You can maintain a healthy, regular cybersecurity routine via Reciprocity ZenRisk. You’ll have access to seamless data flows in one enterprise risk management dashboard, allowing you to monitor changes and quickly export data on new potential threats. A tool like ZenRisk makes maintaining a living risk appetite statement that much simpler.
Learn more by requesting a demo today.