Organisations must define their IT risk appetite and tolerance

At its simplest, IT governance can be defined as an IT investment decision-making framework, designed to maximise the return or benefits while managing risk at acceptable levels. But what exactly is meant by "acceptable levels?" The answer is that it differs from one organisation to the next. Some organisations are conservative and risk-averse, while others are willing to accept greater risks in the pursuit of greater returns. To address this differentiation; an IT governance framework should clearly define the strategic context of IT risk as it pertains to IT risk appetite and IT risk tolerance. With such a framework in place, you can compare individual decisions to an in-place standard and more easily identify, consider, and manage deviations from the standard.

An organisation's IT risk appetite is a subset of its overall enterprise risk appetite and therefore cannot be developed in isolation. It is ultimately the responsibility of the board of directors to define an organisation's risk appetite based on input and recommendations of senior management. The IT organisation can define, document, and communicate the IT risk appetite and risk tolerance by developing a table that includes the IT risk elements, the risk appetite for each element, and the risk tolerance for each element as described below:

A risk element defines a category of risk:
There are a variety of IT risks, including execution risks, technology risks, security risks, etc. As the first step in developing an IT risk appetite profile, an organisation must develop a list of the most likely IT risks it may face. For example, technology risk occurs when a technology component fails to operate as expected or is unavailable, such as if a project is dependent on a new software module but the vendor delivers the module three months later than required.

Risk appetite defines how much risk is acceptable:
For each risk element identified, the amount of risk that is acceptable for that element needs to be defined. For instance, because the business depends on IT for frequent enhancements to its customer-facing systems, it requires projects to be delivered on time and on budget.

Risk tolerance defines the tolerable deviation:
Once the risk appetite has been defined, the risk tolerance for the risk element must be defined. For risk-averse organisations, the risk tolerance may be zero, while a more risk-aggressive firm would have a higher risk tolerance.

The organisation's IT risk appetite and risk tolerance can be documented and communicated via a table (see Figure 2). Failure to define a risk appetite and risk tolerance undermines any risk management process. The lack of definition deprives the organisation of any guidance in making decisions about when and how to address risks as they arise. Furthermore, it ensures that any response to risk is an isolated action and not aligned with the overall enterprise approach to risk.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams