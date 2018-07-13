CISOs who define their technology risk appetite will optimize business performance, improve risk management processes and better meet external stakeholder expectations
New ideas sprout up at organizations daily. Marketing wants to implement machine learning to anticipate customer behaviors. The shared services department is excited to use advanced robotics to automate processes. Before either moves forward, their organization must determine if the ideas fall within an acceptable range of risk. For companies with a defined technology risk appetite, this is straightforward business decision.
If you don’t know your risk appetite, you aren’t really managing your risks. But, if you take no risks, you have no business.
Create a risk appetite statement
A risk appetite is a general statement about how much risk your organization seeks as part of normal business operations. Before you create the statement, you and your team should have several critical discussions:
It’s vital that all stakeholders be included in the discussion. This includes: the board of directors and board of trustees; senior business leaders; other senior security and risk leaders, such as chief risk officers; and project leads. The boards have the authority to sign off and enforce accountability. The business leaders can help you identify and understand business-specific risk levels, which can vary depending on the business focus and activities.
Next, follow these five steps to create your risk appetite statement:
After you’ve finalized your risk appetite statement, determine how to best communicate it. One of the recommendations is to use the three questions that Gartner uses to empower CISOs to adapt to old and new security challenges:
Discuss the answers to each and highlight the point of intersection. Anything that falls outside of that intersection is outside of your technology risk appetite.
Don’t spend too much time on details. This is a broad and often inexact work product. But it’s better than flipping a coin, which is what you’re doing if you don’t know how much risk is the right amount for your organization.
Authored by Jeffrey Wheatman, Research Vice President at Gartner