Risk Appetite
Risk = Uncertainty
This short series of articles about risk (part 1 is here) started because a client asked me to evaluate their current IT and systems but for budget reasons they did not want to look at the cyber security. A short discussion with a manager soon moved the discussion back to the board and expanded the scope to include their cyber security. You cannot decide if one is fit for purpose without considering the other.
Once you start talking about cyber security and the risks you soon realise that you are dealing with uncertainty. No one wants uncertainty.
Let’s start part two…
Where to now?
My goal here is not to give you a blow-by-blow account of how to carry out a risk programme, but to try and frame the project in terms that make it understandable to you, and also achievable, not something you put to one side and ignore.
In part one, we talked about getting everyone on board with the project, assigning a team to carry out the work, and start looking at what needs to be protected and what we can accept a risk for. I’d like to spend a little time looking at the final part of that statement.
What is Risk Appetite?
Budget and time restraints means we cannot protect everything – or maybe you can but that is a different article – you have to choose and that is where risk appetite comes in.
Risk appetite refers to the extent of risk that an organization or individual is prepared to embrace while striving to achieve their goals. It is shaped by multiple elements, including the nature of the objectives, anticipated advantages, accessible resources, organizational culture, and the surrounding circumstances. Clearly expressing and maintaining a consistent risk appetite can facilitate the synchronization of decision-making and risk management approaches with the strategic objectives and core values of the organization or individual.
Getting to grips with this concept and applying it to your organisation will enable your risk project to move forward with a clear understanding of your goals.
Of course, the uncertainty is that what you choose to accept risk for may be what the threat actors attack next. It is why your planning and responses always have to be ready for change.
Next?
Understanding risks and what can be done about them.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Whiteboard image clivecatton.co.uk
Featured photo by Pixabay
