What is Risk Appetite?
Every organisation will have the concept or equivalent of a Risk Appetite. In Public Sector, this is primarily expressed and controlled via the HM Treasury Orange Book.
The Orange Book describes risk appetite as:
“The amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time”
Effectively, this is about how much risk you want. It is generally expressed in terms of how few bad things you hope will happen.
What is Risk Tolerance?
Fewer organisations have a mature concept of Risk Tolerance. It is, however, typically far more powerful. There is no formal industry definition for tolerance, however it is typically characterised as:
“The amount of risk that an organisation can sustain / recover from and continue to operate its core functions”
This measure is the distinction between what is a recoverable loss and what is an extinction level event for your organisation. It is the final line in the sand and the point that, if passed, you would not recover from. This would typically be expressed in terms of what systems / data you can lose and still operate, how many outages / breaches your operations, finances and reputation can sustain.
It is a survivability score.
Risk Tolerance Activity:
Jot yourself down a brief statement of the assets your company could lose and still operate. What is your crown jewels / last line that if you lost it, you would be closing shop?
Then, in slower time review how much of your investment / security effort is focused on your last line vs how much you spend on things you can afford to lose.
Is it 80/20, 70/30, 60/40?
The Four Common Risk Response Strategies
- Avoid – Changing plans to overcome the problem
- Transfer – Move the risk to another party
- Mitigate – Reduce the impact of the threat
- Accept – Identify and accept low impact risks
Planning and Response
Our CTO, Adam Gwinnett says “The key focus between Risk Appetite and Risk Tolerance in my opinion, is in assessing how much activity is occurring to maintain your operations within your Risk Appetite. Then if something takes you below your appetite and you start heading towards your tolerance, what changes in your plans and how do you respond to address this?
The closer the gap between your Appetite and Tolerance positions, the more urgent and focused your response needs to be. Also the more likely that you will need break-glass or alternative response mechanisms outside of your usual BAU processes in order to reinforce your position.
Having trusted partners, robust backups, standby systems and a specific and rehearsed response plan all contribute in this space.”