Cybersecurity Risk Appetite

Do you understand your risk appetite when it comes to cybersecurity and data protection?

Managing risk is complex and rarely the same in any two organisations. Establishing your risk appetite and balancing it with your regulatory and compliance requirements is not a complicated task it simply requires a task drive, practical approach to defining your risks and putting appropriate technical and procedural controls in place.

Getting the right buy in

The challenge is to facilitate this risk appetite approach via the Board and/or the Senior Management Team to ensure that the organisation agrees the appetite then the organisation can build out its technical and procedural controls. Most Boards and Senior Management Teams consist of highly well qualified experienced individuals with many years of building skills and knowledge in particular areas – these individuals tend to address risk within their skill set (Finance, Human Resources) almost instinctively based upon that extensive experience. Cybersecurity presents a challenge to these individuals as it is not their primary area of expertise and they struggle to respond appropriately and often over or under react to the challenge.

Establishing risk appetite must start at this level and there needs to be a supportive approach to enabling these senior individuals understand the sensitivity of this task, so how do we go about achieving this?

Working through the real-world risks and how regulatory and compliance requirements can impact an organisation is the key process. Establishing understanding of the actual impact and how the organisation would react and manage these allows the board to make informed decisions.

Getting Started

Risk Appetite can be established via a Board Level Workshop, this workshop can include Board members, functional management, external consultancy advice and guidance to create the following:

  • Legal requirements – This is typically defined as the GDPR, Misuse of Computers Act, Data Protection Act 2018, and any local Data Protection Law.
  • Regulatory requirements – This is typically defined as PCI DSS, FCA (Financial Conduct Authority) and any local regulatory requirement.
  • Best practice – This is typically defined as ISO27001 Certification, Cyber Essentials, NIST Audit.

This workshop will consider how the organisation responds to the following definitions:

  • Hungry Risk Appetite: Eager to be innovative and choose activities that focus on maximising opportunities (additional benefits and goals) and offering potentially very high reward, even if these activities carry a very high residual risk.
  • Open Risk Appetite: Undertakes activities by seeking to achieve a balance between a high likelihood of successful delivery and a high degree of reward and value for money; or activities themselves may potentially carry, or contribute to, a high degree of residual risk.
  • Cautious Risk Appetite: Willing to accept/tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant reward and/or realise an opportunity; or Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent.
  • Minimalist Risk Appetite: Predilection to undertake activities considered to be very safe in the achievement of key deliverables or initiatives; or activities will only be taken where they have a low degree of inherent risk. The associated potential for reward/pursuit of opportunity is not a key driver in selecting activities. Averse Risk Appetite Avoidance of risk and uncertainty in achievement of key deliverables or initiatives is paramount; or activities undertaken will only be those considered to carry virtually no inherent risk.

It is not unusual for different parts of an organisation to have differing risk appetites, this approach ensures that an organisation has clear direction and understanding of how it manages it cybersecurity and data protection challenges. It also ensures that the appropriate level of investment in technical and procedural controls is in place to meet the risk appetite.

Contact Us for more information or to speak to an expert.

Previous ArticleNext Article