What Is a Risk Appetite?
The concept of risk appetite has been visible in the news recently, with the federal government mandating levels of risk appetite in the banking sector. But what exactly is risk appetite? The Institute of Risk Management defines risk appetite as “the amount and type of risk that an organization is willing to take in order to meet its strategic objectives.”
One example of risk appetite is found in the 2016 Cyber Risk Survey, which asks business managers about their cyber threats in the past year. Two survey questions in particular are worth noting. The first was “Have you implemented, or do you plan to implement, Internet of Things/connected devices in your business?”. 56 percent of the respondents said they were going to or already had. The very next question was “To what extent do you agree that the Internet of Things/connected devices are safe for business use?” Only 28 percent said they thought IoT was safe. That means half or fewer of the people using or planning to use IoT in business think the technology is safe to use. In other words, there is a perceived risk to using IoT, but the business will use that technology regardless, because it sees the benefits as outweighing the risk. In other words, the appetite for risk is high if the perceived benefit is high. If the perceived benefit of IoT were not high, that 56 percent group of people using IoT at work likely would have been much lower.
Whether it’s arming the employees with Fitbits to help them become more health aware (and hopefully resulting in lower health insurance costs), or placing tracking and information sensors in modern machinery, organizations see the risks to these advances, but think the benefits far outweigh the risks.
Risk appetite is a simple, yet important concept. When thinking about risk in terms of appetite instead of avoidance, one quickly learns that risks are not always things to avoid – but things to manage. The appetite concept takes into consideration the benefits achieved if the risk is accepted, as well as how much risk the organization is willing to take in order to realize the benefit. It does not throw risk management concepts out the window. In reality, it makes risk management concepts more effective. With a risk avoidance concept, people try to eliminate risk. With the risk appetite concept, people try to manage risks within acceptable levels, and they think about ways to measure risk and the limits of risk they can accept.
Enterprises often use governance, risk and compliance platforms (GRC platforms) to help identify, measure, manage, and understand risks and their benefits. With a GRC platform, risk management concepts can be visualized and combined with the risk appetite concept, placed in greater context with strategic goals and activities.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.