How much cyber risk is your organisation willing to take on? Knowing this “risk appetite” is an important element in the pace of the digitisation of your organisation.
Cyber resilience is the ability of your enterprise to keep its transformed business models efficient and effective in the face of increased IT system threats from nation states, criminals, competitors, insiders and the supply chain. This resilience also applies to legal, regulatory and political changes.
By assessing your organisation’s business risk appetite, you can also ensure that it’s cyber risk appetite is aligned to help achieve your overall corporate strategy.
That said, an organisation’s risk appetite or tolerance can be difficult to measure, in part because business units in an organisation may view the same risk differently. For example, an opportunity that looks attractive to sales may seem overly risky to IT. This can lead to inappropriate levels of risk control being applied to people, processes and technology.
Fortunately, models are available to help enterprises navigate this terrain. As part of the toolkit for Board members, the World Economic Forum has established guidelines to help boards define and quantify their organisation’s risk tolerance, ensuring consistency between its corporate strategy and its cyber risk appetite. These include:
- Understanding the potential business impact of risk on both individual projects and business lines, as well as on the organisation as a whole.
- Agreeing on risk appetite in light of shareholder, regulatory, customer and external perspectives, such as legal and regulatory considerations.
- Understanding how the balance between meeting business objectives on the one hand, and the operational cost and impact of cybersecurity on the other, is determined by risk appetite.
- Clarifying how the agreed-upon risk appetite should be applied to business decision making.
- Presenting the difference between agreed-upon risk appetite and actual risk tolerance on an annual basis.
Managing the cyber resilience element of enterprise risk involves engaging both IT and business leaders in an ongoing dialogue about balancing risk vs. opportunity in the context of the business strategy.
This proactive approach is more effective than simply reacting to the news media’s latest “cyber scare.” By using a structured management framework, an organisation can ensure that all its leaders, at all levels, understand both the organisational risk position and the competitive advantage of true cyber resilience.
Read more in the position paper, “Managing Enterprise Risk in a Connected World.”