Mark Carey explores this important aspect of business continuity and risk management programs.
Over six years ago, when I was starting the US ERM practice for Ernst & Young, the partner I worked for had a corporate finance background and continually encouraged me to connect risk management principles to finance concepts. This led me to develop, early on, concepts that would connect risks to the financial value drivers of an organisation. In recent years, this approach has evolved to include stakeholder value drivers as well as inputs from Balanced Scorecard concepts. It has evolved into a relatively clear way to articulate risk appetite in terms that business managers can understand and incorporate into their day-to-day management processes.
‘Risk appetite’ is a term that is frequently used throughout the risk management community, but it seems that there is a lack of useful information on its application - outside of financial risk areas or other risks that can easily be translated into financial terms. Risk appetite, at the organisational level, is the amount of risk exposure, or potential adverse impact from an event, that the organisation is willing to accept/retain. Once the risk appetite threshold has been breached, risk management treatments and business controls are implemented to bring the exposure level back within the accepted range.
To define your organisation's risk appetite and determine the acceptable level of risk, you should answer the following questions:
- Where do we feel we should allocate our limited time and resources to minimise risk exposures? Why?
- What level of risk exposure requires immediate action? Why?
- What level of risk requires a formal response strategy to mitigate the potentially material impact? Why?
- What events have occurred in the past, and at what level were they managed? Why?
Each question is followed by a ‘Why’ because the organisation should be able to articulate the quantitative and/or qualitative basis for the appetite, or it will come off as backwards-looking (based only on historical events) or even arbitrary.
My company, DelCreo, has developed a methodology and strategic approach that helps organisations, as well as the security, risk and control functions contained therein, develop and articulate their risk appetite. The key deliverable in this process is the risk appetite table.
The Risk Appetite Table has three key elements:
- Impact table
- Likelihood table
- Risk appetite table
Recent changes in global regulations that encompass security, risk and control implications have raised the awareness around the concept of risk appetite, particularly among the management team. Many organisations - from the board level down - are currently struggling with risk management in general, and understanding and implementing meaningful processes, metrics and strategies in regards to risk appetite. The process we use to articulate the risk appetite for an organisation or a function is described in the sections that follow.
At first glance, the process we are describing may look like a typical risk mapping exercise; in fact, this exercise should be applied to risks previously identified in a risk mapping project. The manner in which you design your appetite and implement follow-up risk management processes will carry business continuity, incident management, business management and strategic implications that go far beyond a risk identification activity.
The first step in developing your organisation's risk appetite is to identify who the key stakeholders are. Stakeholders can be any person, group or entity that can place a claim on the organisation's attention, resources or output, or is affected by that output. Stakeholders tend to drive decision making, metrics and measurement, and, of course, risk appetite. They may be internal or external - don't neglect stakeholders that have a direct impact on your salary and performance reviews! Once stakeholders have been identified, list the interests, benefits and outputs that stakeholders demand from your organisation, such as:
- Shareholder value
- Compliance with regulations
- Product safety
- Privacy of personal information
The interests, benefits and outputs that stakeholders demand are often defined at a high level, making it difficult to articulate direct impacts your function has on the outcome. For example, shareholders are interested in increasing shareholder value. It is difficult to know that you are directly impacting shareholder value with a particular risk management activity. However, by managing costs effectively and reducing the number of loss events, you can be assured to positively impact shareholder value. Ultimately, business and function strategies are designed with the intent of creating value for key stakeholders. Value drivers then, are the key elements/performance measures required by the organisation to meet key stakeholder demands; value drivers should be broken down to the level where they can be managed. You should identify potential value drivers for each key stakeholder group; however, seek to limit the value drivers to those that your security, risk or control program can impact in a significant way. The core element of the risk appetite table is determining how you will describe and group potential impacts and the organisation's desire to accept those impacts.
The Balanced Scorecard approach provides one method for identifying value drivers. This describes a process or framework for articulating strategies that create value. The Balanced Scorecard approach was developed by Robert S. Kaplan and Robert D. Norton and is an approach used by many organisations around the world.
Key risk indicators
Key risk indicators are derived from the value drivers you have selected. Identification of key risk indicators is a three step process:
- Identify and understand value drivers that may be relevant for your business or function. Typically this will involve breaking down the value drivers to the level that will relate to your program.
- Select the key risk indicator metric to be used.
- Determine appropriate thresholds for each key risk indicator.
Value driver breakdown:
- Increase Revenue
- Lower Costs
- Prevent Loss of Assets
Key risk indicators:
Increase Revenue - Lost revenue due to business interruption
Lower Costs - Incremental out-of-budget costs
Prevent Loss of Assets - Dollar value of lost assets
Incremental out of budget cost:
Level One Threshold 0-50K
Level Two Threshold 51-250K
Level Three Threshold 251K-1M
Level Four Threshold 1M+
One of the more challenging aspects of defining your risk appetite is creating a diverse range of key risk indicators, and then level-setting each set of thresholds so that comparable impacts to the organisation are being managed with comparable attention. For example, how do you equate a potential dollar loss with the number of customers unable to receive customer support for two days? Or even more basic, is one dollar of lost revenue the equivalent of one dollar of incremental cost?
It is equally important that you carefully consider how you establish your thresholds from an organisational perspective. You should fully consider whether you are establishing your program within the context of a single business unit, a global corporation, or from a functional perspective. Each threshold should trigger the next organisational level at which the risk needs to be managed. This becomes an actual manifestation of your risk appetite as risk management becomes more strictly aligned with management and the board's desire to accept certain levels of risk. These thresholds, or impact levels, should be commensurate with the level at which business decisions with similar implications are managed. For example, a risk appetite impact table being defined for the insurance and risk financing program might be broken down as follows:
Threshold Level 1 - Manage risk or event within business unit or function
Threshold Level 2 - Risk or event should be escalated to the insurance & risk financing program
Threshold Level 3 - Risk or event should be escalated to the corporate treasurer
Threshold Level 4 - Risk or event should be escalated to the corporate crisis management team or the executive management team.
The likelihood table reflects a traditional risk assessment likelihood scale. For this example, it will remain simple.
Level 1 - Low probability of occurring
Level 2 - Medium
Level 3 - High
Level 4 - Currently impacting the organisation
There is a wide range of approaches for establishing likelihood metrics ranging from simple and qualitative (as in the example above) to complex, quantitative analyses (such as actuarial depictions used by the insurance industry).
Risk appetite table
The risk appetite table helps an organisation to align real risk exposure with its management and escalation activities. An event or risk is assessed in the risk appetite table and assigned a risk score by multiplying the impact and likelihood scores. Ranges of risk scores are then associated with different levels of management attention. The escalation levels within the risk appetite table will be the same as the levels in the impact table. The actual ranking of a risk on the risk appetite table will usually be lower then its ranking on the impact table - this is because the probability the risk will occur has lowered the overall ranking. Incidents or events that are in process will have 100 percent chance of occurring; therefore their level on the risk appetite table should equal the ranking on the impact table.
Score between 1-4 - Manage risk or event within business unit or function
Score between 5-8 - Risk or event should be escalated to the insurance & risk financing program
Score between 9-11 - Risk or event should be escalated to the corporate treasurer
Score between 12-16 - Risk or event should be escalated to the corporate crisis management team or the executive management team
RISK APPETITE: A PRACTICAL APPLICATION
The following section provides a practical application of the risk appetite table. We will use the risk appetite of an information security department for our example.
Determine the impact score
A vulnerability is identified in Windows. Consider the impact to the organisation if this vulnerability were to be exploited. You should factor in your existing controls, risk management treatments and activities including the recently implemented patch management program. You decide that if this vulnerability were to be exploited, the impact to the organisation would be very significant because every employee uses Windows on the workstations. You have assigned the event an impact score of 4 out of 4.
Determine the likelihood score
Consider the likelihood of the event occurring within the context of your existing controls, risk management treatments and activities. Because of the availability of a patch on the Microsoft website and the recent success of the patch management program, you are certain that the number of employees and, ultimately, customers, that are likely to be impacted by the vulnerability is Low. You assign a likelihood score of 2 out of 4.
Determine risk score and management response
Simply multiply the impact score by the likelihood score to calculate where this event falls on the risk appetite table. In this case, we end up with a risk score of 8 and thus, continue to manage the event in the information security patch management program. If at any point, it becomes apparent a larger number of employees and/or customers may be impacted then was originally thought, consideration should be paid to a more significant escalation up the management chain.
The risk appetite table is ONLY a risk management tool. It is not the sole decision making device in assessing risk or events. At all times, professional judgment should be exercised to validate the output of the risk appetite table. Also, it is critical that the tables should be reviewed and evolve as your program and your overall business model matures.
Once you have completed the development of your risk appetite table, there is still a lot of work ahead. You need to do the following things:
- Validate the risk appetite table with your management team.
- Communicate the risk appetite table to business units, and your peers within the security, risk and control functions of your organisation.
- Develop incident management and escalation procedures based on your risk appetite
- Test your risk appetite table. Does it make sense? Does it help you determine how to manage risks? Does it provide a useful framework for your team?