In a 2012 customer survey conducted by the Corporate Executive Board (CEB), 70 percent of respondents said they do not have a formal risk-appetite approach in place. "Seventeen percent said they have something in place that is actually working," confirms Matt Shinkman, senior director of risk management research and advisory at the CEB.
This won't come as a surprise to CSOs and CISOs. Most security veterans have seen, or directly experienced, instances of company leadership nodding absently when asked to acknowledge risks, then reacting with complete surprise when a negative event actually occurs.
Conversely, many security experts can also recount cases where the company was not taking on enough risk to achieve its aggressive business goals.
It's hard to implement business-appropriate security controls without a clear understanding of how much risk, and what kinds of risk, the business is willing to accept. The solution is an accurate formal picture of risk appetite.
Yet it is difficult, at best, to derive accurate risk-appetite assessments. CSOs need direct participation from other C-level executives to calculate risk appetite reliably, and may find that formal frameworks provide useful tools for the job.
The Roots of Risk-Appetite Misperception
Many organizations believe they have a consensus on their risk appetite. "From the companies we work with, we hear that while they don't have a formal risk appetite, they know how they all feel about it. But when we sit down to go over it formally, they don't all see their risk appetite the same as much as they thought they did," explains Shinkman.
Jonny Gray, head of global client risk services for the Americas at Control Risks, suggests that the competing vantage points of the stakeholders formulating the risk appetite impede the process of developing it. "People have different risk appetites based on role and responsibility. Legal has a different appetite than the business developers do," says Gray.
Gray's observations come from workshops his firm leads for organizations wanting to understand their risk appetites.
"When we do these workshops, two things happen. First, the people sitting around the table have widely differing opinions of their company's risk appetite. Second, risk appetite is often delegated to mid-level managers rather than top C-levels," says Gray. Since experts confirm that C-level executives should be at the table, the latter observation is more disconcerting than the former.
Exposures, Intended and Unintended
When executives do not have a clear understanding of their risk appetite on an operational level, their companies may invest in things that expose their organizations to risks the executives or board members may not be willing to take, according to Craig Faris, principal in the Americas risk transformation practice at Ernst and Young.
More on ERM
There is unfortunately no shortage of examples of such cases. Oil companies have invested in drilling in certain areas without taking a full accounting of the environmental risks involved. "In the Gulf of Mexico, oil companies knew the risk existed, but these risks exposed and damaged their brands. If they had considered the actual risk level, they could have said, 'No, we don't have the capacity to manage that risk,' or, 'Let's do it and increase our capacity to manage that risk,'" says Faris. (See the Gulf Oil Spill Tracker for an idea of the frequency of these events.)
In the consumer products industry, companies release products without thinking through their exposure. One examples is products that are intended for small children but that pose a choking hazard. "Companies often do not contemplate their risk, which can go way beyond their desired appetite to include legal risks," says Faris.
Companies experience risks in foreign nations, including places where the C-suite the company had assets. "We help clients where their people have been kidnapped and the C-levels did not know they had people in that country. There is a misalignment between risk taking and risk appetite," says Gray.
Gray's firm addressed an expropriation issue in Venezuela, where President Hugo Chavez's government had nationalized a foreign business. Executives at the business's European headquarters were surprised that they had exposed themselves to this risk.
"The fact that these organizations are unaware they have such risk suggests a breakdown in governance of risk management," Gray says.
There are also cases where companies discover that their risk appetite is too small. "A healthcare organization had a CEO who felt that his company was too conservative and that his business leaders were not taking full advantage of the opportunities facing their industry," says Shinkman. In this instance, the CEO asked internal leadership about risk appetite and whether the company was taking on enough risk.
"In the end, they invested more aggressively into another line of business, using an increased risk appetite to seek out greater opportunity," says Shinkman.
In another instance, Shinkman relates, a large bank grew its risk appetite after asking itself, 'How do we want to run the business, and what do we want our portfolios to look like?'
"When the bank's middle-eastern portfolio took a big loss, the bank executives decided they were comfortable with that level of risk," he says.
Articulating and Addressing Risk Appetite
To articulate risk appetite, the CSO should gather the company's strategic ambitions at the highest level. "The CSO needs to determine the risks the organization must take to achieve those ambitions, the risks that are unacceptable, and the risks the company has to take as a part of executing in the given market," says Faris. The CSO should engage the C-suite and the board in making these determinations.
Gray takes stakeholders through the risks associated with conducting the given type of business using a risk matrix. "We ask them whether a given exposure to risk is acceptable given the likelihood and severity of the risk," says Gray. Then the organization can decide how to address the risk.
According to Gray, at this stage stakeholders decide whether to tolerate, terminate, treat or transfer the risk. If the risk is acceptable, the company will not do anything about it. If the risk has changed or is unacceptable, the company will terminate it by ceasing those operations. Treating the risk means reducing the likelihood or impact of the risk, and transferring the risk means covering it through insurance.
Using Risk Frameworks
Security experts identify risk frameworks and methodologies with applications for ERM and risk appetite, recommended together with the proprietary methodologies that they use or see organizations using.
"About 40 percent of the companies we work with base their ERM on COSO, and another 40 percent base theirs on the ISO 31000. The other 20 percent use an ad-hoc or homegrown approach," says Shinkman. (Also read COSO for CSOs, an interview with framework co-author Richard Steinberg.)
The PricewaterhouseCoopers Americas Risk Transformation Practice uses its own distillation of industry practices rather than frameworks to guide clients to improve operational strategic performance by measuring their operational risk appetite. "Frameworks are not as valuable as our expertise and experience," Faris contends.
"Because we need a global methodology, we have our own standard that we call the Security Risk Assessment Methodology (our proprietary approach), which draws on others," says Gray.
Control Risks' methodology draws on a number of security frameworks from around the world; it is rooted in the ISO 31000 risk management framework (the successor to AS/NZ 4360) and lines up with ISO Guide 73 (vocabulary) and IEC/ISO 31010 (assessment techniques).
The Security Risk Assessment Methodology also uses parts of:
- the API/NPRA Security Vulnerability Assessment [pdf link],
- the US Department of Homeland Security FEMA 452 guide to conducting risk assessments,
- a modified version of the Defense Department's CARVER target analysis methodology,
- business impact analysis from BS 25999-1:2006 clause 6:2,
- and the UK Home Office Scientific Development Branch's guidelines on developing operational requirements for security
according to Gray.