It’s a universally recognized truth that virtually every business with internet connectivity assumes some degree of cyber risk – the only way to eliminate it completely is to go out of business. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group that studies enterprise risk management, the exact level of risk an organization should assume depends on its risk appetite. Clearly and accurately establishing a company’s appetite for cyber risk and communicating it in business terms to the entire organization are crucial challenges for the CISO.
In this excerpt from chapter 6 of The Evolution of CISO: Business Insights for Cybersecurity Managers by authors Matthew K. Sharp and Kyriakos “Rock” Lambros, Lambros explains how to define an organization’s cyber risk appetite, how to differentiate cyber risk appetite from cyber risk tolerance, and how to communicate all these points to the company. He also provides a detailed example of a cyber risk appetite statement to illustrate his point.
COSO defines risk appetite as “the types and amount of risk, at the board level, that an organization is willing to accept in the pursuit of value”. It sounds simple enough, but I can’t begin to tell you how many times I’ve been asked how an organization goes about defining its risk appetite and, more importantly, its cyber risk appetite. It seems like an elusive magical purple unicorn because most organizations don’t actually codify their risk appetite. Defining a risk appetite is fundamental to risk management and how organizations communicate and respond to risk. Managing risk within the limits of risk appetite should be shared and treated consistently across the organization, as it provides the safeguards against which to manage risk.
We often interchange the terms risk appetite and risk tolerance, but they are distinctly different. Risk appetite is only part of the overall risk management approach. Risk appetite needs to ripple throughout the business, as risk decisions need to be made at different levels or business units. Each individual level or unit may have different risk tolerances around the risk appetite. While risk appetite refers to the level of risk an organization is willing to accept, risk tolerance refers to the limits of acceptable variation in performance from the business objective. Risk tolerance is a performance measure. Figure 6.1 shows some of the differences.
You can think of indicators and triggers in this context as the individual risks themselves and the metrics used to measure them (eg, key risk indicators). A key risk indicator (KRI) is a measure of the degree of risk of an activity. It differs from a Key Performance Indicator (KPI) because a KPI is a leading metric while a KRI is a lagging metric. For example, a KPI might be expressed as “We have 86% patch coverage”, while a KRI might be expressed as “When patch coverage falls below 80%, confirmed incidents are up 60% month over month.”
An organization can express its risk appetite as follows:
The brand is essential for our organization. As such, we have a low appetite for risk of negatively impacting our brand and brand loyalty. We will not make decisions that place cost above our core beliefs, quality, or component selection. We value sustainability above revenue and growth. We will innovate within these parameters to develop products that meet market demands and have a moderate risk appetite to achieve this goal.
The same organization may express a risk tolerance metric as follows:
We will not purchase more than 10% of the critical components needed to manufacture the “X” widget from outside the United States.
So what does this mean from a cybersecurity risk perspective? It means don’t get lost in the weeds. Providing metrics without the proper context makes no sense and will further distance you from being considered a strategic partner. You can help set that context by setting a cyber risk tolerance. Defining a cyber risk appetite is not only technical and requires discussions within the organization. The CEO, CFO, and cybersecurity steering committee should all be involved so that cyber risk is linked to business risk and reflects your organization’s mission and values. These discussions should consider how the organizational risk appetite is defined and the types of controls included to prioritize cyber risk management. The cyber risk appetite statement might look like the following when considering the organizational risk appetite example:
It is essential that the cybersecurity risk management program is aligned with the enterprise risk management program and enables the organization to achieve its business objectives in a method that complies with applicable laws and regulations. Our organization has defined that it has a low appetite for risk related to brand impacts and brand loyalty and a moderate risk in sustainably achieving business objectives.
In support of the above, the organization has a low risk appetite for loss or breach of its intellectual property and consumer data. Information assets will be classified and protected with the proportionate security controls described in the classification and data protection policy (eg restricted, confidential, internal or public). The organization has a low risk appetite for an access control failure. All access to systems storing or processing data classified as “internal” or higher will be controlled through multi-factor authentication as outlined in the organization’s access control policy.
While risk appetite is strategic and broad, risk tolerance is tactical and targeted; however, they are closely related. According to COSO, risk tolerance is the acceptable variation in performance. It describes the range of acceptable risk outcomes associated with achieving a specific business objective to ensure that the organization continues to operate within its defined risk appetite (represented by the dotted lines in Figure 6.2). In other words, it helps management determine whether a risk is acceptable or unacceptable. A specific risk objective generally does not exceed the point where the risk profile intersects the risk appetite (“A” in Figure 6.2).
Risk tolerance does not focus on specific risks. Instead, risk tolerance focuses on business goals and performance. As such, risk tolerance should be aligned, measured and communicated in terms of business objectives. For example, risk tolerance may be lower for business objectives that are critical to achieving the organization’s strategy and for more or less critical business objectives. The organization’s existing risk profile reflects the current level and distribution of risk across the organization.
Risk capacity is the total amount of risk the organization can absorb in pursuit of its objectives. Risk profile, risk capacity and risk tolerance all inform the determination of an organization’s risk appetite.
Excerpted with permission from the publisher, Wiley, The Evolution of CISO: Business Insights for Cybersecurity Managers by Matthew Sharp and Kyriakos “Rock” Lambros. Copyright 2022 by John Wiley & Sons Ltd. All rights reserved. This book is available wherever books and e-books are sold.