Risk Rating and Risk Appetite
(This article was originally posted on March 6, 2023 on my?Enabling Board Cyber Oversight??blog series at?Risk Rating and Risk Appetite)
Blog #6 of ~15 in ECRM Framework & Strategy Series
Risk Rating and Risk Appetite
If you are starting this ECRM Framework & Strategy Series here, with Blog #6, you may wish to review some previous posts:
In each post in the series, I will cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.
This series aims to explain what content is needed in each area and provide a good head start on developing and documenting your ECRM Framework and Strategy.?
Introduction
The topic of the ECRM Framework and Strategy and related documentation covered in this post is:
14.?Risk Rating and Risk Appetite
(For the complete Table of Contents, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)
As C-suite executives and board members, your role is to provide the leadership and oversight to ensure the execution of three basic steps:
These three steps and concepts—risks, risk appetite, and risk treatment—will continue to have relevance regardless of how new or mature your ECRM program is.
14.?Risk Rating and Risk Appetite
Risk
Let’s first revisit risk.?The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.”[1]
The National Institutes of Standards and Technology (NIST) defines risk as “A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs, and (ii) the likelihood of occurrence.[2]?
I like the enlightened treatment of risk that the National Association of Corporate Directors (NACD) presents in Module 9 of its Virtual Director Professionalism program. NACD materials state that companies win because they do a better job of taking risks rather than because they do a better job of avoiding them. [3]?In discussing treating risk by “managing the downside,” “managing the expected,” and “managing the upside,” it takes the view that risk may be an opportunity, like the COSO definition of risk. ?
What potential loss or harm can occur from a specific cyber risk??Risk is a function of the likelihood of a given threat triggering or exploiting a particular vulnerability in protecting an asset and the resulting impact on the organization. Risk is not, therefore, one single factor or event but the combination of variables (assets, threats, vulnerabilities, controls) that, when considered together, can hurt your organization or its stakeholders. Cyber risk arises by compromising your information assets' confidentiality, integrity, or availability—the data, systems, or devices enabling business processes.?In this post, I focus on “managing the downside.”?(The terms in italics are critical cyber risk management terms—see a previous post in this series entitled Basic Cyber Risk Management Terminology).
A strong, proactive ECRM program facilitates a better job of taking risks. ?To do a better job at taking risks, it is essential to be able to assess and rate or value risks. When rating risks, we must consider risk scenarios composed of an asset, a threat, and a vulnerability.?As an example, and as you will see it illustrated below, a risk scenario would be a laptop (the asset), a burglar (the threat), and no encryption on the laptop (the vulnerability).
Risk Rating
The risk rating for a risk scenario {asset-threat-vulnerability} is determined by considering both the likelihood and the impact of the threat event. In the {laptop-burglar-no encryption} risk scenario I described above, the risk rating might be “5” (likelihood scale) multiplied by “4” (impact scale), resulting in a total risk rating of 20 for this particular risk scenario. In chapter 5 of Stop the Cyber Bleeding[4], I provide definitions and samples of 5-point scales for likelihood and impact.
(Note that since the likelihood and impact scales have five rating levels, the highest possible risk rating would be 5 x 5, or 25.). Calculating the risk rating for all scenarios results in an initial, natural ranking of risks from most serious to least severe. Rating all risks produces a risk register like the sample shown here.
(See sample risk register on original post at?Risk Rating and Risk Appetite)
This risk register information may inform the C-suite and board members’ deliberations when determining a risk appetite for the organization. These ratings also provide an inherent starting point for the prioritization of risks.
Risk Appetite
The board should work with management in setting a risk appetite.
Setting, communicating, and adjusting your organization’s risk appetite is one of the essential C-suite and board ECRM program responsibilities. Once you identify and rate your risks, you must decide which risks you will treat and which you will accept. Risk appetite is generally defined as the level of risk an organization is willing to assume to achieve a potential desired result. For example, in the risk scenario where a careless employee loses an unencrypted laptop, if that risk is assigned a likelihood of 5 out of 5 and an impact of 4 out of 5, then the risk rating for that scenario is 20. If the organization’s risk appetite is set at 15, it will not accept this risk but treat it somehow (i.e., avoid, mitigate, or transfer it). But if the organization’s risk appetite were set at 22, the organization would accept this risk.
Here's a healthcare example.?Suppose your organization plans to implement a new ambulatory surgery software application to support a new line of business. You will want to conduct a risk analysis to determine the cyber risks associated with implementing and operating this new application. Suppose you decide this initiative will create risks above your risk appetite that you cannot treat (avoid, mitigate, or transfer). In that case, you should delay this initiative until you can treat the associated risks. Or on the other hand, if this is a critical business initiative, you should increase your investment amount to ensure the associated cyber risks are managed below your risk appetite.
Prioritization requires rating your risks and defining your risk appetite so that you can tailor your risk management measures to align with the level of risk involved. As former National Security Advisor McGeorge Bundy once observed, “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.”[5]
The ultimate goal of your ECRM program is to implement reasonable and appropriate controls to ensure your risks are rated below your risk appetite. Controls (also called safeguards or countermeasures) are the tools your organization uses to mitigate risks to an acceptable level.
The discussion of risk appetite is an evergreen topic. It always retains its relevance. Your organization’s risk appetite may change as your risk profile changes, your ECRM resources change, your ECRM program matures, and your business vision, mission, strategy, values, and services change. So, risk appetite is always an appropriate topic of discussion at the board level.
Summary
It is essential to include a section in your ECRM Framework and Strategy document that covers how you will assign a risk rating and what your risk appetite is.
In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.?Defining your risk rating methodology and risk appetite is vital to meeting these future requirements.
My Stop the Cyber Bleeding | Putting ECRM Into Action YouTube channel includes brief video clips covering many of the topics in this series. It may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.
In the next post in this ECRM Framework & Strategy Series, I will discuss Risk Framing Standards, Policies, and Procedures <<future hotlink>>, an essential input into making informed risk treatment decisions.
Questions Management and Board Should Ask and Discuss
Endnotes
[1]COSO. "COMPLIANCE RISK MANAGEMENT: APPLYING THE COSO ERM FRAMEWORK." November 2020. Available at https://www.coso.org/Shared%20Documents/Compliance-Risk-Management-Applying-the-COSO-ERM-Framework.pdf
[2] “Risk.” Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Accessed January 13, 2023. Available at https://csrc.nist.gov/glossary/
[3] Virtual Director Professionalism. National Association of Corporate Directors. n.d., Accessed January 25, 2023. Available at https://www.nacdonline.org/events/detail.cfm?ItemNumber=74119
[4] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n
[5] “Sorting diamonds from toothbrushes: New guide to protecting personal information.” National Institute of Standards and Technology (NIST). January 13, 2009. https://www.nist.gov/news-events/news/2009/01/sorting-diamonds-toothbrushes-new-guide-protecting-personal-information
BCM Policy Governance at Financial Institutions | Knowledge management | G"S"RSC Methodology Framework
2 年Great to see your insights, thoughtfully