Doing business requires taking risks, and in today’s digital economy, those risks are becoming increasingly cyber related. Whether you collect or store customer data for purchases, have remote employees working from home, or simply back up your data on the cloud – these digital operations increase your organization’s potential for a cyber event. At the same time, however, these operations are critical to keeping your business running effectively and efficiently.
So how do you weigh the inevitable cybersecurity risks your organization must take on to succeed against the vulnerabilities and threats they can expose you to? That’s where your cyber risk appetite comes in.
Most organizations are willing to accept some level of risk in order to achieve their goals so the key to maintaining a healthy balance is identifying and quantifying the thresholds that your organization deems acceptable given its business goals. These acceptable thresholds are your organization’s risk appetite.
Define your risk appetite. Some organizations have defined different risk appetite thresholds for various business units as well as an overall risk appetite. Defining the overall risk appetite should occur at the board and executive level, and should take into account a variety of factors – including everything from business strategy and goals to regulations, insurance and cyber vulnerabilities. In fact, Deloitte suggests that boards and executives should have a clearly articulated risk appetite incorporated into existing risk management and governance processes. We believe it is critical that the CISO has a seat at that table because, in order for the CISO to protect and enable the business, they have to be able to provide guidance on the cybersecurity risks related to the organization’s business strategy and goals. This enables the executive team to discuss and determine whether the benefits of a certain business strategy outweigh the cyber risk, or vice versa.
An article from Marsh McLennan states that “an effective, measurable, and actionable cyber risk appetite provides institutions with a risk management capability to set and communicate strategic boundaries for cyber risk-taking across the institution.” A risk appetite essentially starts putting cyber risk and cyber security into business context and enables all executive stakeholders to better understand the cyber risk implications of new business initiatives, technology, or even human resource policies, like shifting to a ‘work from home’ culture.
Quantify your risk appetite. The challenge for most organizations, however, is defining what “acceptable” means to them. For many, it is helpful to reframe risk appetite probabilistically. Are we comfortable with a 10% chance of losing $1M in a given year? What about a 30% chance? In addition, framing what’s acceptable in quantitative figures provides clearer boundaries for the CISO and the rest of the executive team. This not only helps ensure they share a common understanding of the organization’s risk appetite, but enables them to collectively establish the appropriate KPIs so CISOs can allocate resources and measure results accordingly.
As an example, consider the increased vulnerabilities that resulted from shifting entire organizations to remote systems after COVID. While organizations did not have a lot of time to prepare for that, many made the shift rapidly for the safety of their employees and for the sake of operations. While that strategic decision enabled them to maintain operations, it also increased the probability for more cyber events as employees were relying on their home networks, which were less secure than their office networks.
The risk appetite discussion here could go something like – if we shift to remote working in order to maintain our business and generate revenue, are we willing to accept losses associated with cybersecurity incidents in the amount of $1million? If not, the CISO and executive team can discuss various risk mitigation strategies that could both help protect the organization while enabling the business to work from home and then weigh the costs of those strategies against the probable costs associated with the risk as well as the probable rewards of enabling their workforce to work from home.
Measure, monitor and evolve your risk appetite. Measuring risk appetite and establishing KPIs are critical to monitoring and controlling your organization’s risk appetite. EY wrote a recent article series on why risk appetite should be renamed “performance appetite” because it makes it easier to measure and tie into established KPIs by setting limits on performance capacity as it relates to risk. Regardless of what you call it, the important concept to take away is establishing those thresholds is only the first step. Monitoring and measuring them is step two and evolving and adjusting them to ensure continuous alignment with your organization’s business goals is step 3.
To learn more about the critical role risk appetite plays in Cyber Risk Quantification, check out our MasterClass series on CRQ.