Even though risk tolerance and risk appetite are used interchangeably in most cases, they are different from one another by a certain degree. With many standards and regulations focusing on the process of risk management, only a few of them define clearly the distinctions between the two terms appropriately. Nonetheless, you must know how to distinguish between risk tolerance and risk appetite to help you in developing the necessary controls for protecting data. Doing so will help you develop a suitable cybersecurity program.
Risk Tolerance versus Risk Appetite: What is the Difference?
In case you are adopting an enterprise risk management approach when it comes to cybersecurity, your risk appetite ought to focus on amount or type of risk that you consider acceptable based on both your business resources and objectives.
For instance, if you operate as a payment processing entity, your attention may be in retail. Nevertheless, part of your enterprise risk management (ERM) may involve moving into the healthcare space. In such a case, if you are willing to accept all the legal risks that stem from the Healthcare Portability and Accountability Act or HIPAA, then you have created your risk appetite.
Alternatively, risk tolerance entails how you decide the degree of risk you want to accept. Looking at the payment processing example, although you may be willing to take on the risk associated with shifting into healthcare, you might withhold from recognizing all the inherent risks involved in constantly monitoring protected health records. Hence, you will end up transferring the risk to another entity, a third-party vendor.
When you have an appetite for steak dinner, you might fail to consume the entire piece due to reaching your tolerance point. This case also applies to cybersecurity risks.
What does a Risk Appetite Statement mean?
It entails a written document that helps in explaining your risk decisions. The statement not only enables you to inform both external and internal stakeholders about your risk appetite but also triggers more necessary conversations for driving strategic objectives.
How to Develop a Risk Appetite Statement?
Back in 2018, ISO or otherwise known as the International Organization for Standardization revised the risk management guidelines featured in the popular ISO 31000 standard. Even though this particular standard does not use “risk appetite,” it hints the term, particularly under “establishing the amount and type of risk that may or not be taken.”
Aside from creating a risk management framework, which allows you to come up with a risk appetite statement, ISO 31000 helps in formalizing the process of risk management. Through integrating the process and framework, you can develop the right risk appetite statement.
Step 1: Communication and Commitment
Talk about the business objectives and strategies with the other leaders in your organization. Doing so will help you in knowing the amount of risk you are willing to accept and determine whether such risks can meet the most critical organizational goals. Communication across the entire business allows you to take into account the necessary views for creating ownership and defining risk criteria.
Step 2: Defining the Scope, Criteria, and Context to be integrated across the Organization
For the case of integrated risk management, you must determine your position in the entire supply chain. Then, make sure that you review your whole ecosystem. By focusing on the external and internal risk factors, you can define the appropriate evaluation criteria and amount of risk.
Step 3: Designing the Risk Assessment
You can determine, describe and evaluate your risks by communicating your organization’s risk management strategy based on your position in the supply chain. After doing so, you can leverage controls, potential events, control effectiveness, and likelihood to determine whether the levels of risk match your risk tolerance.
Step 4: Implementing a Risk Treatment
It involves the creation of a plan with specific deadlines for identifying the reasons and decisions behind them. Nevertheless, part of this implementation consists in choosing the approaches for handling the risks. Since you need to decide whether to accept, mitigate, or refuse the risk, you must create a treatment plan that will help in implementing such decisions.
Step 5: Evaluating through Monitoring
As part of your organization’s risk appetite statement, you must determine whether to use a combined, qualitative or quantitative evaluation process. After setting metrics, regularly monitor your data ecosystem and environment to ascertain compliance with your organization’s internal risk assessment.
Step 6: Make Improvements based on Reports and Records
Constant monitoring can identify vulnerabilities in your organization’s control environment. Boosting your risk monitoring tasks and communicating such weaknesses enables you to maintain a robust risk management program.
Step7: Summarizing Results for Release
Utilize your risk appetite in fostering communication with both external and internal stakeholders. Nevertheless, numerous risk appetite statements are intended for public consumption including financial reporting.
You may also like: What is Enterprise Risk Management (ERM)?
About the Author
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.