By Guest Contributor: Mark Silver, MBA
'Understand your risk appetite, or fail at risk management.' That was one of the first documents I read when I joined Gartner, somewhat incredulously. 'Fail?' That is a bit harsh, I thought. I mean, I have been doing risk management for a long time, and while I understood the concept, it couldn’t be that important, could it?
The more I thought about it, and the more I spoke to security and risk professionals about the topic, I came to realize that it is true. If you don’t understand your organization’s appetite for risk, then there is no way that you can judiciously implement controls consistent with your organization’s desire to manage risk.
As risk and security professionals, we tend to be conservative and therefore, risk averse. Makes sense doesn’t it? I mean, you would hardly want a cyber security professional charged with the safety of digital assets to adopt a 'she’ll-be-right-mate' attitude (a very Australian expression, but one that conveys the message.). As a generalization, we tend to lock things down. And we tend to do that for everything. It’s one reason many business leaders describe the Chief Information Security Officer as 'Doctor No.'
When you understand risk appetite, you appreciate that it drives not only the number of controls we put in place but also the maturity of those controls. In this context, maturity equates to effectiveness, efficiency, and repeatability.
So what does that mean? Well, risk averse organizations (those that have a low risk appetite) will want more controls and to implement those controls at a higher level of maturity. Examples of risk averse organizations would include banking and the financial services sector, healthcare, and Department of Defense-type organizations (think intelligence agencies, like the FBI, police, NSA and defense contractors, etc.).
At the other end of the spectrum, are highly risk-tolerant organizations. To me, the world of start-ups are great examples. They often start out life with no assets (relatively speaking) and very little to lose if things go pear-shaped, so they are prepared to adopt higher risks pursuing their mission, and so need fewer controls and those controls at lower levels of maturity.
There are additional elements of complexity:
First, not all risk appetites are the same. For example, a university hospital may have zero tolerance (a low risk appetite) for not complying with regulatory controls that protect patient information, but the same university hospital may be willing to risk a great deal more (its risk appetite is much higher) for cancer research conducted using predictive computing.
Second, different executives have different risk appetites even within the same organization. I know that when I speak with the Chief Risk Officer, Chief Compliance Officer, or general counsel, their view of risk management tends to be extremely conservative. By contrast, speaking to the Chief Sales Officer elicits a wildly different approach to risk management… sometimes, so much so I question whether they can even spell R-I-S-K.
The insurance industry and finance industries (particularly those that trade) generally have an exquisite sense of risk, risk appetite, and risk tolerance. So much so that they have positions dedicated to the function: actuaries. Other industries are starting to catch on and address these issues. After all, your risk appetite drives business enablement, managing risk, and profitability.
Do you understand your risk appetite? Or are you failing at risk management?
About the Author: Mark Silver, MBA, is a former Fortune 20 CXO and has more than 20 years’ experience in technology, digital security and risk. He has held global roles as a Chief Information Officer, Chief Security Officer (physical and digital security), Chief Risk Officer, Chief Compliance Officer and Group Auditor. He currently works as an executive coach and consultant advising security, risk and technology executives.