At an enterprise level, risk management is about achieving strategic objectives and creating value, all while ensuring that the activities undertaken are neither too risky nor too conservative to achieve the stated outcomes. In everyday operations, this means that the outcome, or result, of any strategic objective is uncertain until the result or achievement of the objective becomes a reality or an accomplishment or results in a loss event, incident or crisis.
Effective risk management begins at the highest levels of the organization with well-formed and articulated risk appetite statements. The statements, when clearly understood, communicated and practiced, serve as the guide to the behaviors, decisions, limits and policies that provide the boundaries under which risk management practices operate within an enterprise.
As a reminder, risk appetite is the amount of risk an entity (i.e., enterprise, organizations, public or private organizations) is willing to take to achieve its strategic objectives. For example, a risk appetite statement for a healthcare provider might be: “We place patient safety as our top priority. We also recognize the need to balance the level of immediate response to all patient needs with the cost of providing such service.” This demonstrates a low appetite for risk that might impact patient safety balanced with a higher appetite related to response to patient care and customer service.
Risk tolerance is the amount of variation in the parameters used to measure risk appetite. For the healthcare provider mentioned previously, an example risk tolerance statement may be: “We plan our staffing to treat all patients within 5 minutes of their appointment time, and emergency walk-in patients within 15 minutes. However, management accepts that in rare situations (5% of the time) patients in need of non-life-threatening attention may not receive that attention for up to 4 hours.”
Here are some questions that can help you when evaluating risk appetite and developing statements that can be tested and improved over time:
- Are the management and governance entities of the organization aligned on the business outcomes that are unacceptable to the enterprise? What is the process to periodically evaluate risk appetite statements if there are significant changes in the business, mission or other conditions?
- Are the unacceptable outcomes clear and communicated to everyone who needs to know? Is everyone clear on the types of risk that the organization is willing to take vs. those it wants to avoid?
- If someone was aware of a potential risk, is there a way to raise a concern or ask for an inquiry before a negative event occurs? How would you determine the effectiveness of the organization’s process for identifying, assessing and reporting risk in relation to the stated risk appetite?
- Do the people on the front line of the enterprise know the boundaries, parameters, control limits or other constraints on risk-taking decisions for their role? Examples of control limits in a bank might be related to a junior staff member having an upper financial limit on the amount of a check that can be cashed while a senior staff member has a higher financial limit because he or she has more experience in the operational environment. In many organizations, there are upper and lower limits on decision-making that are integrated into the workflow that assist in ensuring that the optimal risk appetite is maintained.
- Are there published financial loss limits, regulatory compliance, business interruption, operational performance, life, health or safety impacts that are clearly defined and communicated? Do these published limits exist for information security, cybersecurity, technology, events or incidents?
Whether your organization is just getting started with a more formal risk management process or you have a process but want to make sure it is aligned with best practices, there is an updated ISACA® publication coming soon, The Risk IT Practitioners Guide, that can help. The guide is intended to build awareness of risk management and is not focused on control selection or internal control deficiencies as contributing to risk. This guide has the potential to improve the effectiveness of your enterprise through the implementation of sound risk management processes.
Lisa Young, CISA, CISM, CISSP, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.