In a 2012 customer survey conducted by the Corporate Executive Board (CEB), 70 percent of respondents said they do not have a formal risk-appetite approach in place. "Seventeen percent said they have something in place that is actually working," confirms Matt Shinkman, senior director of risk management research and advisory at the CEB.
This won't come as a surprise to CSOs and CISOs. Most security veterans have seen, or directly experienced, instances of company leadership nodding absently when asked to acknowledge risks, then reacting with complete surprise when a negative event actually occurs.
Conversely, many security experts can also recount cases where the company was not taking on enough risk to achieve its aggressive business goals.
It's hard to implement business-appropriate security controls without a clear understanding of how much risk, and what kinds of risk, the business is willing to accept. The solution is an accurate formal picture of risk appetite.
Yet it is difficult, at best, to derive accurate risk-appetite assessments. CSOs need direct participation from other C-level executives to calculate risk appetite reliably, and may find that formal frameworks provide useful tools for the job.
The Roots of Risk-Appetite Misperception
Many organizations believe they have a consensus on their risk appetite. "From the companies we work with, we hear that while they don't have a formal risk appetite, they know how they all feel about it. But when we sit down to go over it formally, they don't all see their risk appetite the same as much as they thought they did," explains Shinkman.
Jonny Gray, head of global client risk services for the Americas at Control Risks, suggests that the competing vantage points of the stakeholders formulating the risk appetite impede the process of developing it. "People have different risk appetites based on role and responsibility. Legal has a different appetite than the business developers do," says Gray.
Gray's observations come from workshops his firm leads for organizations wanting to understand their risk appetites.
"When we do these workshops, two things happen. First, the people sitting around the table have widely differing opinions of their company's risk appetite. Second, risk appetite is often delegated to mid-level managers rather than top C-levels," says Gray. Since experts confirm that C-level executives should be at the table, the latter observation is more disconcerting than the former.
Exposures, Intended and Unintended
When executives do not have a clear understanding of their risk appetite on an operational level, their companies may invest in things that expose their organizations to risks the executives or board members may not be willing to take, according to Craig Faris, principal in the Americas risk transformation practice at Ernst and Young.
Sign up for CIO Asia eNewsletters.