How to establish your business’s risk tolerance

Every organization in operation today faces a barrage of risks – from cyberattacks aimed at stealing data to geopolitical threats that could disrupt operations.

Yet security experts say executives at many organizations don’t know which specific risks pose the greatest threats to their business’s survival, which would wound them, and which could cause mere operational hiccups.

Sure, large companies with chief risk officers and an entire risk department can identify, classify, mitigate and monitor risks. Organizations in highly regulated industries also tend to have highly mature risk management practices.

Most others, however, are much further down the maturity scale.

“The average company deals with risk ad hoc. It’s just done by gut,” said Candy Alexander, a veteran security executive now serving as president of ISSA International, a nonprofit international association for information security professionals.

Findings from the National Association of Corporate Directors speak to this point, indicating a general desire to better understand risk.

In its 2019 Governance Outlook: Projections on Emerging Board Matters report, the NACD found that 82% of respondents to its annual survey of public company directors were confident in management’s ability to address known risks, yet 70% believed they need to better understand the risks and opportunities affecting company performance.

Similarly, security experts say many organizations need to better manage risk. They say the process starts with knowing what risks threaten them and how significant those risks are to the ability to do business.

“Risk is something that could potentially introduce harm or a negative aspect to the business,” Alexander says. “So you should know that if something were to happen, how much of an impact that would have on your organization. You need to know what your risk appetite is, or where you position yourself on risk, what’s your threshold.”

Alexander explains that when she works with companies to set their risk appetite, she starts with them identifying risks and then classifying those risks based on how much damage they’d do if they came to pass. She asks them to rank the impact of varying risks from catastrophic to critical, high, medium and low.

This knowledge helps establish what, and how much, a company can tolerate for each identifiable risk. It’s a measure that’s often called business risk appetite, or sometimes business risk tolerance. (The two terms are sometimes used interchangeably, with some security leaders defining each slightly differently.)

A critical component for strategic alignment

Establishing a business risk appetite is critical because it enables CISOs, as well as other executives, to align their efforts to the business needs — thereby allowing them to prioritize resources and to focus spending, staff and day-to-day activities on those areas where organizational leaders have the least appetite for risk.

“If risk tolerance isn’t defined, it’s hard for management to determine how they should invest in tools or resources to secure the organization,” said Tichaona “Tich” Zororo, an IT advisory executive with Enterprise Governance of IT (Pty) Ltd. in South Africa and a board director with ISACA, an international professional association focused on IT governance.

“If [organizational leaders] say, ‘We can’t tolerate any cybersecurity attack,’ if it’s almost at zero, that gives the chief information security officer direction in terms of to what extent they should invest in security tools and the right skills so that at all costs the organization is secured. But if [the] organization says the tolerance is at least able to tolerate attacks without breaking the business, that also has an impact on how the CISO should invest and spend time on what should be secured.”

Task ownership

An important step for organizations to take when establishing their appetite for risk is to be clear on who owns this task, security experts say.

“Companies must explicitly decide who makes decisions on business risk, but that’s often not established in businesses,” says Wendy Nather, head of the Advisory CISO team at Duo Security, a business unit of Cisco.

Companies with a dedicated risk function, where there’s a chief risk officer, have already answered that question — but that’s the exception, not the rule.

That’s one of the reasons that CISOs in many organizations that aren’t big enough, aren’t mature in their security practices, or aren’t in highly regulated industries are tasked with leading efforts to establish the business’s risk appetite.

But Nather says establishing the organization’s appetite for risk must involve the executive team — and not simply be dumped on the CISO to do alone.

Others agree.

“The organization owns the risk, because risk is based on decisions the business made over time. So, the CISO, the COO, general counsel and the CIO should all be in charge,” adds Gary Hayslip, a veteran information security and IT executive as well as a co-author of the CISO Desk Reference Guide.

Hayslip says he recently worked at a company where as CISO he served alongside the CFO, the COO and the general council on a risk committee that was charged with making decisions on identifying and managing risk. It’s an approach he recommends other organizations take.

Identify, classify risk

Once ownership of the task is determined, security experts advise executives to identify the types of problems that could jeopardize their ability to do business.

Those problems can be put into buckets of risks and then broken down into more detailed scenarios. For example, executives could identify cyber threats as a category of risk and then identify data breaches and malware as specific types of risks within the category. They could also, as another example, identify geopolitical troubles as another bucket of risk and then note that overseas disruptions could interrupt the company’s supply chain. Regulatory compliance could be another bucket, with failing to meet specific federal regulations and incurring fines as a result a more specific element within that category of risk.

Experts recommend using risk assessment frameworks — such as those from NIST (the National Institute of Standards and Technology) or FAIR (the Factor Analysis of Information Risk) — or using an independent third-party consultant to help fully identify the risks that could harm an organization’s ability to do its work.

Stay focused on business impact

CISOs should work to make sure such assessments, as well as the entire process of establishing the organization’s appetite for risk, is business-focused.

“We have to translate what we’re seeing — the threats and vulnerabilities — in a way that filters out the noise and presents the true risk to the organization so they can establish their true risk tolerance, and whether they’d be OK with the potential fallout if something should happen,” says Heather Engel, chief strategy officer at cyber risk management firm Sera-Brynn.

Consider Alexander’s approach here. She says she drills an organization’s executives and directors to understand what they see as the most critical components of their business. She asks them: “If something were to happen, how much of an impact would that have on your organization.” Would that incident be catastrophic and take the business down immediately? Or would it shutter the company within weeks? Or could the company recover, or maybe barely be affected?

This is where Alexander categorizes identified risks from catastrophic to low, determining the category based on how severely the organization would be hurt should a particular risk actually happen.

Each organization should come to its own conclusions, as they’ll have different risk appetites depending on their own unique culture and objectives as well as their industry and regulatory requirements.

Moreover, experts say every organization should articulate a range of risk appetites to reflect their varying level of tolerance for different scenarios.

“If you can establish risk at a system level, then you can say this risk tolerance for this system is higher because it’s not something we need as a business-critical function,” Engel explains.

Likewise, Hayslip says executives should assess and articulate the business impact of each risk by understanding the kind of damage each situation would inflict, using expected time to recovery objectives as a way to judge the potential harm.

“Now your risk is visible, now you have to deal with it, what you’re willing to accept, what you can mitigate, what you need to get rid of, what you can fix,” he says.

Tie risk tolerance to strategy

Security experts agree that executives working to establish their organization’s tolerance for the various risks it could encounter need to consider their strategic goals when determine the criticality of each risk’s potential impact on the business.

A hospital, for instance, may see a data breach as a significant risk for which it has a low tolerance, but it should place higher value on clinical access to patient data to ensure life-saving care isn’t hindered.

Executives should consider mitigation costs when evaluating risks and determining their tolerance of them, Nather says. They could determine that for some risks, it’s cheaper to deal with fallout from the problem if it actually happens than implementing technologies or policies to lower the chances of that problem occurring. There’s no sense in spending $1 million to mitigate a problem that costs half of that to fix after the fact, she adds.

Zororo says that’s why organizations should establish their risk tolerance when they create their strategic vision.

“Risk tolerance should be set when defining strategic objectives, which most organizations set every three or five years,” he says.

However, he and others advise organizations to revisit their risk appetite more frequently to ensure they remain on track as new risks arise and old risks change.

Just as many enterprises now re-evaluate strategic objectives more frequently than in the past to keep up with changing dynamics, organizational leaders should confirm they’re concentrating mitigation efforts on the areas where risk tolerance is lowest.

“A good CISO will keep that conversation going by reporting on the risk mitigation and then begin doing self-assessments and articulating the security posture of the organization based on the risk tolerance decisions,” Alexander says.