As a risk professional, when I look across the various organisations that I have worked with, one thing is clear: Risk is either embraced and used to drive smart decision making, or it is seen as a huge blocker for progress that must be avoided at all costs!
When risk management is understood, it can really be used to drive a technology department into the future, and at progressive speed.
Appetite vs. tolerance vs. threshold – what does it all even mean anyway?
To make effective decisions driven by risk, understanding the difference between risk appetite, tolerance, and threshold is key. Each of these three elements will be set by your board, and when understood by technology can be used to enable effective decision making, maximize resources, and bold strides forward.
At a high level, risk appetite defines the overall attitude or willingness of an organization to take on risk in the pursuit of achieving their business objectives. In layman terms, how much risk is the company willing to take on in pursuit of making an increase of 5% in turnover from last year, or by growing the customer base by 10%?
Risk appetite matters for two key reasons:
- Most companies are now required to demonstrate to regulators the risk management that is in place within the organisation, and the thinking and consideration that has taken place with regards to the risks held by the firm.
- By clearly articulating the risk appetite of the organization, the board enables decision makers throughout the organization, and indeed within technology, to decide how much risk they should take in any given situation.
Bringing this home to technology and the position of the CIO, an understanding of the risk appetite and the amount of risk that the board is willing to accept in the pursuit of building a robust and advanced technology department, enables the CIO to make decisions about key strategic initiatives, new technology risk exposures, and prioritization of work when there are limiting resources.
Where risk appetite is about the willingness to take on risk, risk tolerance is about the maximum amount of risk that a firm will withstand. Risk appetite defines the overall attitude that an organisation has with regards to holding risks as a firm, whereas when we start talking about risk tolerance, we are looking at particular risks (e.g., business disruption due to malware, or unauthorized access to data) and how much risk in that area is deemed as acceptable.
To bring this to life for the CIO: In a company where the organisation has a pretty moderate risk appetite and is happy to take on risk given that there is a high chance the decision will take them ahead of competitors, there may be a low risk tolerance within the risk area of reputation specifically, as this may be the backbone of the company.
Therefore, by knowing that the tolerance for reputational risk is low, any proposed technology initiations or new technology risk exposures that increase the reputation risk of the firm will need to be reconsidered. At a minimum, the CIO will need to think about what additional controls to implement to reduce the risk to gain full support by the organisation.
Risk threshold is the specific point of risk above which the amount of risk becomes unacceptable.
When a risk falls outside of tolerance, there really are only two options: apply technology resources to mitigate the risk back to an acceptable level, or formally accept the risk via the organisation’s operational risk management processes.
This is where the magic lies.
The more the CIO (and all members of the technology department really) can understand the line above which risk is unacceptable, the more this understanding can feed into the foundation of decision making across all technology-based initiatives.
By asking good questions, and using this risk management framework to understand what a technology risk may mean in business terms, the CIO and technology leaders can make good choices about where to apply resources, time, and effort based on an understanding of the firm’s attitude to risk, and which risks are in and out of tolerance.
Risk management can be used to weed out those problems that are often loudly shouted about but are not actually posing much risk to the firm. They fall within tolerance levels and therefore don’t require mitigation. Instead, CIOs can use risk strategies more effectively to articulate key areas of concern within the technology department, in language that makes sense to the key business stakeholders.
By clearly articulating in business terms the current risk held within a legacy estate, for example, and how that may impact business risk, CIOs can lead a very productive conversation with business stakeholders to address technology risks held by the firm.