RISK APPETITE – THE GOOD, BAD & UGLY

Posted on by Henrik Parkkinen

“You may run the risks, my friend. But I do the cutting. If we cut down my percentage… Who knows? It might just interfere with my aim.”

Source: “The Good, The Bad and The ugly (Original title: Il buono, il brutto, il cattivo)” Movie 1966
Writer: Sergio Leone

Another masterpiece in terms of a movie where the legendary Client Eastwood, in his character named Blondie, drops epic lines and is the boss. In this article, I will elaborate more on the subject of risk appetite. A subject, according to myself, that takes the shape of many characters. Good, bad, and ugly once (as the title of the movie the quote is from). Risk appetite, from a more political wording, comes in many different forms.

PROLOGUE

Textbooks and theories do not always have the answer to how things shall be done in each and every situation. And neither do I. But starting from where an organization currently are situated and operating is a very good way forward in most cases.

Trying to explain quantum physics to a group of people who haven’t yet understood basic mathematics will make no sense. The same reasoning is kind of applicable to the subject’s risk appetite in relation to security. Trying to define risk appetite for security without having a sound understanding of the function of security in an organization is kind of trying to put the wagon in front of the horse. Approaching things in the wrong way and hoping for a positive result. We will get back to this part later.

The practical application of the terms Risk Capacity, Risk Tolerance, and Risk Appetite will differ between organizations. It will not always look the same. And I do not think that it actually needs to look the same. What matters, is how the effects are realized. This is my opinion though. A fluffy high-level risk appetite statement that just sits on an internal webpage will not do a smack. Sorry to say it, but this is the reality. Do not strive to accomplish this. But in reality, this is how many organizations do it. Unfortunate but true. This is useless. This is a bad way…as I see it at least.

Two common ways for managing risk appetite are: Risk Appetite Statement or the (by many risk professionals less popular) Heatmap approach. Or with the help of both. What I think of each one is less important at the moment, we will get there later in this article.

I have seen both methods, the combo method, and also many organizations that do not even have either approach but still are fairly risk-aware. They have not bothered with establishing what Risk Capacity, Risk Tolerance, and Risk Appetite are in a quantitative or qualitative approach. I have also been at places where an informal risk appetite statement has been communicated, for example:

“Every investment or opportunity that is lower than 25K$ do not need approval from the upper management.”

So, what is the right way, and what is the wrong way? I would say that this is dependent on the organization. Such a boring answer but I think pragmatism is one of the most important ingredients to security. I say it over and over again. For sure there are better and less good ways of doing things though. Those which are good, bad, and those ugly ones.

But let’s get back to that risk appetite thing and the practical implementation of it. Ask yourself and your organization:

Why do we need to define Risk Appetite in our organization?

Let me elaborate further on this one for you. If for example risk appetite is not defined for other types of risk it can be a bit challenging to start with defining one for security risk. I mean, writing the statement is the easy part here. The challenge relies on how the message and application of it will be practiced.

How will you, as a security leader, make sure it is applied in practice and understood within your organization by those who need to understand it and what it means for them in their daily work? Say hello to Change Enablement.

This is the real challenge and is highly dependent on the overall maturity of risk management for the organization. If the maturity is low, the organization will naturally have a bigger hurdle to overcome to understand “why” and “what” risk appetite is. Yes, this is still the case in many organizations 2024 (when this article was first written). Risk management is not something that is a natural part of every organization’s DNA. Not only from a security point of view but also from an enterprise perspective.

So where should everything start from? What and how should a risk appetite journey start out? Once again, at least according to my own philosophy: from where an organization is currently operating and from their individual maturity level.

REALITY

Let’s say that an organization is less mature when it comes to security, and look at it mainly as an IT-thingy or a cost center, I think the conversation needs to start from somewhere else. Starting to develop a risk appetite statement for security is less likely to be value-adding.

The work should start, according to my philosophy, to ensure that the organization understands that security is a supporting function in an organization. And to clarify how security adds value to an organization. It must also be made clear that security risks if actualized, can have huge negative consequences on an organization. For example from a financial, reputation, brand, and/or compliance perspective. This is key!

To create awareness around the relationship of security risks to the business within the organization is key. Without this, it is not only that risk appetite thing that will suffer. It is sh*t loads of other foundational security elements, such as but not limited to, strategy, governance, compliance, awareness, controls, and capability development that will have a hard time.

And I think that the development of an organization’s risk appetite is not the first step in this exercise. Others think otherwise, and that is fine by me. Some think that the risk appetite development is what “solves” the question mark. For me, it can be a part of the puzzle but not the unicorn solution.

Risk appetite is not a unicorn security solution
The risk-appetite-unicorn.

But at another organization, where there has been a security incident resulting in intellectual properties, customer data, and company secrets being stolen in combo with a ransomware situation has taken place, it might make perfect sense to start with defining the risk appetite related to security risk. This organization has felt the pain from a security risk and experienced what it means.

Every situation is not the same. But in general, the creation of a risk appetite statement should start out from the top of the organization “setting the tone”. Setting the scene for the amount of risk the organization is willing to take in relation to the context, i.e. in this case security. This shall take place at the board level and through the executive leadership. It should be taking place when risk management is established as a discipline and function within an organization.

Real life fact
Independent of the organization and situation exemplified above, both organizations would most likely end up having a “[…] low/conservative risk appetite to security risks.”. It is very few, if not close to none, organizations that resonate, formally or informally, in other terms as a security risk potentially may have a very strong negative impact on an organization from a business, brand, reputation, operational, financial, or trust point of view.

Keep in mind: That risk appetite statement will not make bad things go away. It is not a vaccine against future security risks. It is not a unicorn solution that will “fix security” in an organization. It can be a piece of the puzzle though.

And obviously, organizations still function pretty well without it as every organization does not have one. With all this said, I think that it can be helpful though. It can be used as a “tool” to better guide an organization and dialogues taking place, with the help of a model (statement, figures, quantitative metrics, heat maps, or others), towards more desirable outcomes. Let’s call this decision-making.

You can look at risk appetite as a navigation unit in a vehicle to visualize the direction. But I do not think it is always a thing that is dictating the absolute answer in a binary form for the direction. Navigating a car can still be done without a navigation system. But it will get easier with one and the risks of going in the totally wrong direction will be reduced if these tools are used. Or if you are traveling to a new place where you have never been before, in this case, that navigation system will in most cases be found helpful.

THE CREATURE “RISK”

Risk is a creature that has a dynamic form and changes over time. And so does Risk Appetite, to some extent within an organization but the foundation should more or less remain the same. But, it is not static and for this reason, I think it is wise to if there are no absolute requirements or demands for a static model of Risk Capacity, Risk Tolerance, and Risk Appetite, approach it with some flexibility. Not to be totally loose cannon and cowboy things –> have a miles-wide span, range, level, etcetera. My suggestion is: to be pragmatic. Do not make it an obstacle for the organization. Use it to support success and reduce risk. To make those intelligent decisions.

Is it that heap map approach that would be a suitable approach for you? Maybe as a good initial model for better practicing what risk appetite means within your organization? Here and there, this methodology is used to draw risk appetite as a baseline and with the help of it facilitate dialogues. Something like:

“According to our risk analysis and with the help of the data and information we have collected the risk scoring is at the upper end and closely to stepping outside of our risk appetite.

This on the other hand do not dictate that the decision shall be a mandatory No-Go, but we should use this indicator to commonly, within this steering group, together discuss the potential negative implications and how we can reduce the risks involved.”

I am not saying that this is how things shall always be done when it comes to risk appetite. But this is how it can be used and is used here and there. The heatmap is not the only way, as I said before, but it is a practical application of what risk appetite can look like. And it might be one way where to start out. The blue highlighted fields in the risk matrix exemplify the range, between 4 – 6, of risk appetite.

The Risk Appetite presented on a heatmap

Fun fact
I am actually not one of those who think the risk heat map is the magical wand in risk management. It is not the silver bullet. I think it has its place where it makes sense though. An observation I have made on the internetz, is that it seems there are two risk-heat-map-camps. Those who have negative feelings about it and those who have positive feelings. Those polarized ends meet in the digital arena and get the chance to express their opinions.

“Heat maps are <rantz>!!!“.

“Let’s put the risk on the heat map<3!”

I kind of understand the narrative and “why” behind these rants. But, do you really need to polarize the discussion and subject into a “love & hate” scenario? The good and bad…and ugly? At the same time, I think this is the “beauty” of the internet. Polarized opinions meet each other in both productive and less productive conversations.

Personally, I think that we as security people should spend more time on solving actual problems and not wasting our time raving about a colored matrix. Or debate about qualitative methods vs quantitative methods. We on the defensive side spend waaaaaaay too much time battling out our egos against each other. Here and there I think it’s needed though as it is from some of these interactions where new perspectives are found and new methods are forged. But in general, I think, we as security people should spend our time on more constructive discussions. Maybe helping each other instead of throwing sand at each other or at those poor theoretical models out there to make ourselves look cool(?).

EPILOGUE

Risk appetite, how do you get in the wanted direction? I think that a sound way forward, for any organization, is to start by using the current risk management model (if there is one) and see what form of risk appetite methodology is supported. Use what you currently have and do not start with inventing the wheel. There is no need for that.

To get a true understanding of what risk appetite in your organization is about I strongly suggest sitting down with your key stakeholders in the different business processes and discussing what Risk means for them. Guide and coach the dialogue. And let your key stakeholders explain to you what their risk appetite is. No this might not be an easy task if they do not understand what you are saying or speaking about. In this case, it is up to you as a security expert to make yourself understandable.

If you have run into this situation before or want to become better at speaking and communicating about any topic related to security, check this article out:

Security in an organization is a supporting function. And when that security risk appetite is to be defined <*drum-roll*> it is not for the security team. It is for the organization the security team is supporting.

This one might be a helpful suggestion as well. If there is a risk register or other form of system in place where your organization records your risks, investigate the risks to see if you together with your stakeholders can find data and information to help you to better understand the risk appetite. What form of risks is your organization accepting? What risks are your organization avoiding? Are there any data points that put you in the right direction?

I do not say that the risk appetite method you are developing for your organization needs to be only this or that. You decide on what you need to establish based on your organization’s needs and maturity. If it is a range, a heat map with a baseline, a risk appetite statement, KRI’s, or all three of these things and 10 other things. Or none of these things.

Start somewhere and resonate about what makes sense. What is a pragmatic and value-adding approach? Yes, I am back there again –> pragmatic. The sh*t we create in security-ville needs to work in reality.

Develop something together. Try it out. Evaluate how it worked. Did it provide any benefits? Did it provide guidance? Was it helpful? Or did it make things more complicated?

I strongly recommend trying the things you invested your time in more than just once. Practice together. Develop and document easy guiding principles that can help out in the facilitation of how to use the things you have crafted.

The Good, Bad & Ugly Risk Appetite
The Good, Bad & Ugly risk appetite riding along in the sunset.

And if it shows up that this risk appetite thing is not something that is value-adding for your organization, then there is a solution to that as well. Stop doing it, go back to where you were before. Skip the risk appetite concept. Your organization will most likely function without it, as it did in your prior state before trying it out. Maybe the organization is not mature enough for it at the moment? Maybe the conversation needs to start from another place?

I am fully aware that some risk management gurus and practitioners do not agree with me on these suggestions. I am fine with that. And as I said, and have said many times before –> I strive to apply a pragmatic approach to security where risk management is one discipline.

Instead, if risk appetite is not a thing for your organization at this point, focus the resources on conducting intelligent risk assessments and analyses. Develop a system, for example, a risk register, where the risks are recorded and collected if one does not exist already. That might be providing more bang for the buck at the moment. Do those things that provide and improve your organization’s security posture and cyber resilience. Do not blindly follow the footsteps of certain frameworks, standards, or what other organizations do.

And if you want to read more about Risk Appetite, Tolerance, and Capacity is take a look at this article where I explain what it is and give examples of each acronym.

But do not be afraid to test new concepts, methods, or interesting things. Be pragmatic. Use risk appetite according to the needs you have in your organization. Do not outsource “How risk management” should work in your organization to a framework, standard, or outsider. Use those things for inspiration but do what is needed in your own organization.

Develop. Practice. Educate and communicate. Do it together. Evaluate. Improve. Contemplate. And reassess. Do what is best for your organization. Start where you are.


Risk appetite example for cybersecurity

Our organization maintains a conservative risk appetite for cybersecurity. We prioritize robust measures to minimize the likelihood and impact of security breaches. We are aiming to safeguard our information assets and uphold our reputation. Our commitment to a low cybersecurity risk appetite aligns with our dedication to preserving brand integrity, financial stability and to protect our employees, customers and business partners.

Yes, this risk appetite statement can be made better. This is just an example.

Henrik Parkkinen