Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Describing and documenting an enterprise’s risk appetite is complicated, because usually it can only be done in qualitative or subjective terms. A common measure of risk appetite can be what the enterprise decides to spend to mitigate risks.
That said, some key principles can be documented and serve as guidance to organizational units as they try to decide how to allocate resources against the enterprise’s key information security risks. This piece explains how to use a risk register
to document leadership’s approach to risk and create an effective enterprise risk appetite statement.
This begins with the general topic of risk management, which is key to how the enterprise organizes and runs an information security program. Often, organizations create a risk management program and use that program to help establish where they need
to focus their information security resources. Typical risk management programs focus on:
Constructing a risk appetite from the risk register is relatively straightforward. Specifically, the highest risks from the risk register represent the risks the enterprise determined warrant the most attention. And, most importantly, those highest risks
already reflect substantive input from the executives, so they are well-aligned with leadership strategies and goals.
A risk appetite can be discerned simply by considering what you plan to do or want to do and measuring it against the highest risks to determine whether it moves the needle on them. Clearly, if the matter being considered makes one or more of the highest
risks worse, the executives could be more amenable to spending resources to mitigate that effect.
In looking at this through the optics of a risk appetite statement, an example of a typical statement boils down to:
The approach outlined above has one nuance: It does not fully consider the benefits of accepting a risk even if it is high. It simply focuses on addressing all the worst risks in the risk register and avoiding any actions that may exacerbate them.
However, there may be situations when a proposed action has such significant business benefits it is worth pursuing, even in the face of having to accept very high risk in the process. Typically, in every case where a proposed business plan or action
engenders very high risk, the business decides to take actions to mitigate that risk to bring it down to tolerable levels. But, that does not necessarily mean that such a situation may never happen. One option is to address it in a risk appetite statement
is to add a fourth paragraph. An example of which may read something similar to the following:
"Where a proposed action or activity makes the worst risks worse or elevates a lower-level risk to a high-risk category, and suitable mitigations are unavailable, ineffective, or prohibitively expensive, the impact of accepting the risk shall be measured
against the business benefits expected to result from the proposed action or activity. In rare cases, the latter may outweigh the former, but such a judgment shall only be rendered by senior executive leadership."
Finally, the enterprise may have some risks it wishes to declare “inviolate.” That is, the enterprise is unwilling to accept any actions that may worsen them. Examples can include regulatory risks, i.e., risks associated with a regulator citing
the enterprise for quality of care, protection of patient data under the Health Insurance Portability and Accountability Act (HIPAA) and so on.
Another example could be risks associated with violating the Payment Card Industry Data Security Standard (PCI-DSS) because that could imperil the use of credit cards for payment. The enterprise should list such risks and could include a final paragraph
in the risk appetite statement to cover them:
It is critically important the enterprise risk register truly reflect the full input of executive leadership or else the risk appetite statements cited above will have no real effect. Leadership must be fully committed to the risk register, and that can
only happen if they have a key hand in its formulation. InfoSec leaders should be able to trace risk register contents back to the areas of concern or worries the executives expressed, or you could run the risk of the contents possibly being dismissed
as just an academic exercise.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.