In basic terms, a company’s “risk appetite” is the level of risk the organization sees as acceptable. Not surprisingly, some use the phrase “risk tolerance” interchangeably with “risk appetite” (there is an important difference: "tolerance" is how far off "appetite" the organization will go).
But defining exactly how hungry your company is can be a difficult task—you can’t just Google ‘What is an acceptable risk appetite?’ and find the magic answer. Defining your risk appetite is a multi-step process that requires hands-on action from your risk management team as well as the executives at your organization.
As an example: I recently sat down with an organization that was interested to see if their top risks were under their defined risk appetite threshold. Initially, they didn’t know where to start because they defined their risk appetite in general, qualitative terms that were nearly impossible to measure; high, medium, low. This, surprisingly, is a common practice for many organizations. But with the right tools, organizations can easily measure their risk appetite in more useful quantitative terms, and from there can easily determine what is level of appetite is acceptable for their organization.
Measuring our risk appetite is much easier if we break it down as follows:
1. Start by pinpointing relevant loss types
The most common loss types in the Information Security world are lumped into the acronym CIA: Confidentiality, Integrity, and Availability. As you assess the risks of your organization, each particular risk should tie to one or more of these loss types.
Example: Data breach would cause a confidentiality loss type.
2. Define thresholds – find out what metrics matter
This is where your personnel will do most of that heavy lifting we mentioned above. After you break down your loss types, you need to set thresholds for each loss type. The thresholds should be broken down into two different areas, loss magnitude, and loss event frequency.
Defining your Loss Magnitude will detail how many records or hours your organization is willing to accept as a loss. For example, if you are analyzing an Availability loss type such as an outage, your threshold should be in terms of how many minutes/hours/days is acceptable for an outage to occur. From there, it is divided into additional subcategories, such as loss magnitude for individual applications, whether the application is internal/external and then if the application is revenue generating or if it a non-critical application. This process should also apply equally to your other loss types, such as Confidentiality and Integrity.
Additionally, you should factor in the number of loss events your organization is willing to tolerate in a time period. You might decide that your organization can only tolerate one event per year, one event every twenty years, or even no events ever.
Example: Your organization has decided to define a threshold for a potential data breach for an internal-facing database holding sensitive records at 10,000 records.
3. Analyze the actual risk and compare it to your risk appetite
Once you have clearly defined your loss types, and the relevant thresholds for each loss type you should then assess the actual risks that your organization faces, and gauge where your risks fall compared to your appetite. Start with your top risks, and work your way down from there. You can use FAIR analysis to begin to quantify your risk and see where it falls compared to your risk appetite.
Example: The organization has set the threshold for a data breach at 10,000, but the internal-facing database experiences a breach of 100,000 records. Your organization is now over the threshold. Using FAIR you’re able to put it in terms of dollars and cents to see how much loss exposure there is for 100,000 records.
See the presentation on risk appetite by FAIR Institute Chairman Jack Jones at the 2019 RSA Conference.
The FAIR Institute was named one of the three "Most Important Industry Organizations of the Last 30 Years" at the 2019 SC Awards. Join us at our annual meeting, The FAIR Conference, FAIRCON19.