• United States




Getting to know your company’s risk appetite

Mar 16, 20185 mins
Data and Information SecurityPrivacyRisk Management

Your employees make risk/reward decisions daily. Have you defined risk boundaries for them? Unwanted risk or missed opportunities happen without clear direction.

As discussed in The risk of okra, every company is in business because they are willing to do something that other guys aren’t.  It is really important for an organization to keep track of this thing they are willing to do and not confuse it with other risky behavior they aren’t. This is called determining the company’s risk appetite. 

When it comes to risk appetite, there are three categories:

  • On-strategy: Risks that are aligned with the business
  • Parameterized risks: Risks that may be necessary but need to have boundaries set
  • Off-strategy: Risks that are never aligned with the business

Your job is to help the company identify which risks fit into each category.


Risks that are aligned with the business are those we intend to take as a normal part of doing business. These are called on-strategy risks.  If your business is a grocery store, purchasing okra is an on-strategy risk.  If your company is a financial institution like a bank, approving an individual for a home equity loan is an on-strategy risk.  All risks have parameters within which operation is determined to be acceptable, even on-strategy risks. Clearly, if you are a small grocery store you don’t want to buy ALL the okra.

If you are a bank, you have parameters for approving a loan.  On-strategy risks are at the core of a business.  These are the risks you must take in order to be considered a viable player in the market.  Sometimes on-strategy risks result from the need to innovate your product or service in the marketplace. The risk associated with innovation is a major part of on-strategy risk and is a major business driver.

In many industries customers will pay the business to be innovative.  When we look at the software industry for example, customers pay a license or maintenance fee.  This fee frequently is paid annually and provides customers with bug fixes and new releases of the software.  It is a fee that customers pay for the software developer to be innovative.  As a result, software companies must be particularly aware of, and open to, the cost and risk of being innovative because for them, innovation is a risk that customers pay for directly.  It is important for your business to be aware of on-strategy risks, because it relates directly to revenue or business goals.


The second category isn’t a list of risks but contains the risk parameters or boundaries used to evaluate risk going forward. This is the largest group and includes strategic, financial, operational, quality, and other risk types.  Under financial risk, you might want to have a parameter for investment limits.  The amount would depend on your business.  For example, the grocery store might say that no single capital investment shall be larger than $500,000, while the bank might say that capital investments need to be sized so the company is able to maintain their cash flow target of $500 million.

The point is there are different strategies and different types of parameters for different companies.  Other common risk parameters in this area include self-sustaining growth (minimum amount of working capital), financial strength (minimum profit margin), loss exposure, project parameters, and customer dependence.  By identifying boundaries, you can help the business evaluate opportunities and challenges in a changing environment and still stay true to the risk appetite boundaries set by senior management. 


Risks that are never aligned with business objectives are called off-strategy risks.  These risks are deemed so dangerous to the ongoing nature of the organization that a company would never knowingly take on the risk.

For many organizations, risks to reputation fall in the off-strategy category.  A good example of this is the brand image impact associated with a data breach.  We have seen many examples of companies that haven’t approached data breaches properly and have lost ground in the market as a result.  Immediately after the Equifax breach the company offered credit monitoring services to people who were impacted.  This credit monitoring was to be done by TrustedID Premier – an Equifax company.  The perception issues of Equifax suffering a data breach and then hiring themselves to monitor consumer credit were not positive for the Equifax brand.

The reputation hit Equifax took in their share price as a result of the breach and subsequent PR debacle was significant.  Equifax announced the breach on Sept. 7, 2017.  It is interesting to note that the people whose data was compromised are not customers of Equifax.  Equifax didn’t suffer a significant customer impact.  The damage was done purely because of reputation, not because of customers leaving.

The reason it is so important for an organization to formally understand their own risk appetite is that your employees are making risk/reward decisions every day.  From the guy stocking the grocery shelves, to the software engineer, to the bank loan officer, employees make decisions that affect the business.  If your employees don’t know the boundaries, they behave based on where they perceive those boundaries to be.  Your company might unknowingly take on unwanted risk or miss an opportunity because of these decisions. By identifying risk appetite and communicating it to your team, they will make better decisions.


Phil Richards has both breadth and depth of security experience. He currently is the Chief Information Security Officer (CISO) for Ivanti. He has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

In his security leadership roles, he has created and implemented Information Security Policies based on industry standards. He has led organizations to clean PCI DSS and SSAE SOC2 compliance certifications, implemented security awareness training, and established a comprehensive compliance security audit framework based on industry standards. He has led the organizations through GLBA risk assessments and remediation and improved the organizations risk profile. Finally, he has implemented global privacy policies, including addressing privacy issues in the European Union.

Transforming an organization requires focus on the objectives, clear communication, and constant coordination with executive leadership, which is exactly what Phil has focused on during his security career.

The opinions expressed in this blog are those of Phil Richards and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.