If there is one element of a GRC framework upon which all else depends, it is the correct formulation of risk appetite, and the translation of appetite into tolerances, thresholds and limits that the organization must operate within. Without this, it’s simply impossible to manage risks effectively.
Risk appetite can be defined as the quantity and types of risk that an organization is willing to assume in pursuit of its strategic objectives. Boards are typically responsible for setting risk appetites, and executive teams then implement them into the business by translate those appetites into more granular risk-taking limits within the most fundamental operating processes.
This is a huge challenge, and most organizations struggle to do it effectively. Those who do it well know it is a bit of art, a bit of science, and a mix of qualitative and quantitative approaches.
Everything depends on the right formulation of risk thresholds –policy, controls and ultimately, what is expressed as a risk, or not.
However - with the right collaboration, and properly managed process, risk appetite and thresholds can be defined.
GRC teams can work with executive and management to establish meaningful thresholds, or tolerances of acceptable loss, compromise, disruption, disablement of key material business processes, people, or information. Tolerances describe, in tangible terms, the limits around which risk and compliance teams can manage their efforts.
Risk Appetite sets the bar – and the buck stops at the bar. You’ve got to work with the business to understand how much risk is the organization willing to take in a particular area. How high is the bar? Once set, policy, controls and reporting can be calibrated to feedback the right indicators that allow management to make decisions to avoid, treat or transfer risk – efficiently and effectively.
Risk Appetite Definition
- The quantity and types of risk that an organization is willing to assume in pursuit of its strategic objectives.
What you can leverage
- Organizations tend to be fairly good at understanding thresholds in a few critical categories, such as financial liquidity requirements or business resilience and availability thresholds, which are typically defined in terms of business impact of disasters or service interruptions.
- Regulatory compliance thresholds have been formalized through control standards by Regulatory bodies and Professional Standards Organizations.
- Leverage expertise gained in these processes to build competencies at the next level.
What you need to do
- Clearly state the amount and types of risks that the organization is comfortable taking.
- Define maximum tolerable limits, both qualitative and quantitative, based on stakeholder expectations, constraints and strategic objectives.
- Identify actions that need to be taken when the organization’s’ actual risk profile is outside of tolerances.
What to watch out for
- Risk appetite and thresholds being set by security and risk analysts, rather than the board and business executives.
Risk tolerance calculations ensure that the organization is able to adhere to adopted risk appetites and implement the right escalation procedures. Utilization of Key Performance Indicators (KPI’s) and Key Risk Indicators (SRI’s) help risk and security teams understand how the organization currently assesses risks to the business.
Call to action: Find out how your organization formulates risk appetite and thresholds, and build that process into your GRC framework.