As with so many other terms in the risk management profession, there seems to be a fair amount of squishiness and inconsistency in how risk appetite (and its close cousin, risk tolerance) are defined and used. That’s unfortunate because the underlying concepts and objectives are foundational to cost-effective risk management. It seems to me that this is yet another example (similar to “inherent risk”) where a concept has been so superficially approached that it not only loses much of its potential value, but in some cases, may also increase an organization’s exposure to loss.
Every organization is “Medium-Low”
Every organization I’ve encountered defines how much cyber and technology risk it’s willing to live with as “Medium-Low”. Sometimes you’ll see it expressed as “Low-Medium”, which I suppose suggests a greater tendency toward "Low" than "Medium."
Why this part of the risk continuum? Why not Medium or higher — or Low for that matter? It’s hard to say for sure, but based on the conversations I’ve had with executives, it boils down to:
- They haven’t been able to measure cyber/operational risk in meaningful terms that would let them make a more informed choice.
- There’s a perception that external stakeholders (regulators, customers, investors, etc.) would rebel if they believed an organization was willing to live in the upper half of the risk continuum.
- There’s a perception that choosing to maintain a Low level of risk would be prohibitively expensive. Also, some key stakeholders (investors, even regulators, etc.) might think the organization is being unrealistic and too risk averse.
So “Medium-Low” it is; almost by default. No explicit measurement or understanding required as to whether it’s appropriately balanced against resources or business objectives.
Is it useful?
Being a qualitative and inherently ambiguous term, is there any value in an organization proclaiming Medium-Low as the level of risk it’s willing to live with? How would an organization even know when or if it went beyond that threshold, or whether it had plenty of room to spare and could be less conservative? The obvious answer is that the term provides no clear threshold to achieve or to breach. That isn’t, however, the same thing as not being useful.
Even though the term isn’t clearly defined (or at least I’ve never encountered a clear definition), it does indicate roughly where decisions and actions should align along the risk continuum. No passwords required at all? Nope, not a good fit. Passwords that have to be 28 characters long and that change every day? Also not a good fit. So even something as ambiguous as Medium-Low provides gross directional guidance that can help avoid extremes in decision-making.
If all an organization wants to do is avoid extremes in decision-making, there may be no need to do anything but adopt the default Medium-Low position. It’s better than nothing. That is a pretty low bar though, and the decision-making problem space isn’t as simple as that.
Which “Medium-Low” are we talking about?
There are actually two broad categories of risk decisions that can and should be influenced by risk appetite guidance. The password examples I used above fall into the first category — discrete “tactical” decisions. Other examples of decisions in this category would include:
- Policy exception requests
- How to respond to specific audit findings
- How aggressively to react to a new zero-day exploit
The second risk decision category is more strategic. You’ve undoubtedly heard the metaphor regarding frogs in boiling water: the notion being that small incremental increases in risk can build up to a point where it becomes a terminal condition. Letting an organization know when the water is getting too hot is the “aggregate risk” problem that clear risk appetite guidance can help solve.
There is, however, a subtle but important difference between these two categories of questions. Medium-Low risk at the discrete problem level is NOT the same as Medium-Low risk at the aggregate level.
In the matrix below on the left, we have a single Medium-Low “risk instance” stemming from a discrete circumstance; perhaps an audit finding. The matrix on the right shows a portfolio of risk instances. At what point does the aggregate risk associated with these instances fall into or outside of “Medium-Low”?
I have yet to encounter a definition for Medium-Low that clearly accounts for both question categories. Some definitions have tried to be more explicit and less ambiguous, but those have only addressed one of the two categories. On the other hand, in a weird and unsatisfying way (at least to me), the ambiguous nature of Medium-Low definitions often allow them to cover both categories. The absence of clarity lets an individual (or group) decide how to interpret it in either case. Here again, this is useful in avoiding extremes. For example, it doesn’t take a rocket scientist to know that the aggregate risk associated with the portfolio of risk instances shown below probably doesn’t fall into the Medium-Low bucket.
The natural tendency then, which is implied visually in a heat map like those above, might be to take the average of the portfolio. In the next post of this series, I’ll discuss the problems associated with that. I’ll also begin describing how FAIR can help organizations more effectively define and leverage risk appetite/tolerance.