It is impossible to completely eliminate an organization’s cyber risk. Risk management best practices acknowledge this reality, dictating that an organization should mitigate or eliminate some risks, transfer others, and accept the remainder.
So, what is the right amount of risk for an organization? The decision is based upon risk appetite; the amount of cybersecurity risk acceptable to an organization in the pursuit of its goals.
The opposite of risk is opportunity; and finding the balance between the two is key to success. An organization with a high-risk appetite could potentially reduce its security budget by accepting risk and the possible repercussions of an attack. In contrast, an organization with a low-risk appetite must invest in additional resources in an effort to eliminate or transfer that risk.
Risk Appetite Considerations
Defining an organization’s risk appetite is a crucial first step in creating a cybersecurity strategy. When determing appetite level, a number of considerations exist that can impact how much risk an organization can or may be forced to accept. You may also need to understand the following:
- Risk Capacity: The total amount of risk your organization can withstand
- Risk Threshold: Trigger levels beyond defined appetite
- Risk Tolerance: Risk range an organization is willing to accept
Examples include regulatory and contractual requirements, security budgets, and cultural and external drivers.
Regulatory and Contractual Requirements
Regulatory and contractual requirements play a major role in determining an organization’s risk appetite. Depending on the industry in which a company operates and the type of data it collects, stores, and processes, a number of requirements may already be in place that govern its approach to cybersecurity.
For example, organizations in the financial and healthcare industries are heavily regulated with a number of government-mandated security controls. When determining risk appetite, an organization must consider the potential costs of regulatory non-compliance, such as regulatory penalties and lawsuits.
Companies may also be forced to mitigate or transfer a certain level of risk as part of contractual obligations. Those operating under contract may have service level agreements (SLAs) regarding service availability and data security. Failing to properly manage risk can place the company in breach of contract.
Security Budget
While an organization’s risk appetite should affect the size of the security budget, the inverse can also be true. No company has infinite resources, and many have a limited budget that’s able to be allocated to security. These budget constraints may force an organization to accept a higher level of risk than preferable.
Cultural and External Drivers
In the wake of COVID-19, many organizations are considering an extended or permanent transition to telework. This change in how organizations plan to carry out daily business, highlights the impact workplace culture and external factors have on risk appetite.
In general, teleworkers pose a greater threat to an organization’s cybersecurity than on-site employees. Teleworkers often work from untrusted devices and networks, increasing their exposure to cyber threats. Additionally, they may also use unapproved technologies (such as personal cloud accounts) to achieve job responsibilities. These factors must be taken into consideration when defining an organization’s risk appetite and cybersecurity strategy.
How MorganFranklin Can Help
Defining an organization’s risk appetite can be one of the more challenging parts of developing a cybersecurity strategy. A number of considerations exist that can affect how much risk a company accepts, whether intentionally or unintentionally. A well-designed cyber risk appetite can be used to prioritize goals, increase investment efficiences, manage cyber risk decisions, and create an awareness across the organization. Based on conversations with stakeholders, the following should be considered when defining risk appetite statements:
- Position– Establishes what is an acceptable/unacceptable state, and how much.
- Value – Establishes the value of what is being protected and ties into corporate values/objectives.
- Metric – Key performance/risk indicators to monitor tolerance of risk to the desired condition.
- Action – Predetermined escalation and correction to adjust risk.
MorganFranklin can help your organization define an appropriate risk appetite. With deep knowledge of cybersecurity risks, their probability and impact, and means of mitigation, our advisors help to identify a strategy that decreases your organization’s risk to a manageable level, aligning it with business goals and creating a supportive cybersecurity culture across the business.