Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > April

           10 Score.jpg



Gartner is a well known and respected information technology research and advisory company.


Some time ago they introduced “Gartner Peer Insights”, an online platform of ratings and reviews of IT software and services. The reviews are written and read by IT professionals and technology decision-makers like you, without input from the vendors and service providers being reviewed. I dare say, it’s sort of the Angie’s list for technology; helping IT leaders make more insightful purchase decisions and helping technology providers like us improve our products by receiving objective unbiased customer feedback.

I encourage you, as a GRC professional, to take time to write a review about us or other GRC vendors you have had experience with to let Gartner, prospective customers, and RSA know what you truly think about our products.

  • Reviews take approximately 10 minutes to complete and are anonymous.
  • Your individual review will be published online at Gartner Peer Insights.
  • Your name and your company's name will not be displayed; reviews will be attributed solely to your demographic profile (your role, company size and industry).
  • If you are a provider of technologies or services, you are not eligible to review your competitors', affiliates', or your own products or services.


Write a review today.  You might even win a free Gartner E-Book

Marshall Toburen

Risk Appetite Limbo

Posted by Marshall Toburen Employee Apr 25, 2016


The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, published “Principles for An Effective Risk Appetite Framework” in November 2013.  Regulations were finalized around these principles by some regulators including the Comptroller of the Currency in 2014.  Although the genesis is FI-related, there are a lot of things in this publication that are useful to any organization trying to establish a risk appetite.  I’ve edited-out the financial institution specific references for general consumption, regardless of industry.


Risk appetite statement definition: The articulation in written form of the aggregate level and types of risk that an organization is willing to accept, or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate.  It should also address more difficult to quantify risks such as reputation and conduct risks as well as unethical practices.


An effective risk appetite statement should:

a) Include key background information and assumptions that informed the organization’s strategic and business plans at the time they were approved;

b) Be linked to the institution’s short- and long-term strategic, capital and financial plans, as well as compensation programs, if applicable;

c) Establish the amount of risk the organization is prepared to accept in pursuit of its strategic objectives and business plan, taking into account the interests of its customers, the fiduciary duty to shareholders, as well as any regulatory requirements;

d) Determine for each material risk, and overall, the maximum level of risk that the organization is willing to operate within, based on its overall risk appetite, risk capacity, and risk profile;

e) Include quantitative measures that can be translated into risk limits applicable to business lines and legal entities as relevant, and at group level, which in turn can be aggregated and disaggregated to enable measurement of the risk profile against risk appetite and risk capacity;

f) Include qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk, including for reputational and other conduct risks across markets, and establish some form of boundaries or indicators (e.g. non-quantitative measures) to enable monitoring of these risks;

g) Ensure that the strategy and risk limits of each business line and legal entity, as relevant, align with the institution-wide risk appetite statement as appropriate; and

h) Be forward looking and, where applicable, subject to scenario and stress testing to ensure that the organization understands what events might push the organization outside its risk appetite and/or risk capacity.


A couple of key points

Risk appetite is not a reflection of an inherent or residual risk assessment but rather is a limit to which an assessment is to be compared to answer the question: Is the organization’s inherent and residual risk within the organization’s risk appetite?  If not, the risk needs to be further treated.  It is not generally permissible to accept risk above the appetite, without changing the appetite.  Instead, you must mitigate, transfer,  or hedge the risk in some manner to sufficiently bring the residual likelihood and impact down.


Secondly, since a risk assessment or a risk taking activity must be compared to the appetite, the measurement type / rating scale must be comparable.  If your appetite is set in dollars, then the risk assessment or activity must be in dollars, and vice versa.  The comparison can certainly be based on qualitative values but the qualitative rating scale needs to be comparable.  That is to say a risk assessment with a “High” rating must mean “High” in the same sense  the risk appetite means “High”.  For example, if you state that a “High” reputation risk appetite is a negative story appearing in the Wall Street Journal, then your risk assessment cannot derive a “High” rating for a negative story appearing in the local newspaper.


Deriving Risk Appetite Statements

It is very difficult for most organizations to come up with risk appetite statements.  Often you must pose a long series of scenarios to management and the board until you get a sense as to their comfort level around risk.  Just because an organization may take on risk in its day to day activities does not mean that the risk taking is equivalent to their risk appetite.  Take for example a young man who has chosen to purchase his first car, a muscle car with a 500+ Horse Power engine.  The young man has certainly chosen a higher risk automobile but likely has little considered his risk appetite for increased insurance rates, tickets for speeding and exhibition of speed/acceleration/performance, and the increased likelihood of harm to property, his person, and to others.  If you were the parent of the young man, these would be the scenarios you would lay out, perhaps along with some facts and statistics, in order to get the young man to embrace a realistic risk appetite and throttle down the horsepower.


Muscle Car.jpg


Share Your Experiences

If you have experience with organizations that have set risk appetite statements, please share what you can regarding the statements that were set, how they were derived, and how they are used on a day to day basis in the comment field below. If you prefer to send me a private Community message, just hover over my name at the top of the page and click on message

As someone who tries to watch my diet, I know how hard it is to deal with your own appetite.   Several things that are my weakness – fresh bread, cold beer, pizza, the list goes on – are definitely not the best elements for a balanced diet.  However, at times, my appetite gets the better of me and, before I know it, the breadbasket or mug is empty.  We all face that gnawing hunger at times.  It is inevitable.   When it comes to RISK within your organization though, appetite takes on an entire new meaning.  Too much risk is like too much pizza.  Your organization becomes bloated with risk, the arteries clog and eventually the business will succumb to some bad ending in one way or another. However, if you don’t take some risk, your business will lack the nutrients for healthy growth and wither away as your competitors beat you in the market.  Maintaining a balanced diet and maintaining a good balance of risk in your business are very similar.  Appetite plays a big role in both.


The most burning question within every organization today – regardless of industry, size or geography - is “What’s next?”  Where is the business going?  What will be that growth engine that propels this company to the next level?  The next obvious question seems to be ‘Where does technology fit into the equation?’ Every business strategy today, whether it’s a new product or service or a new way to connect with customers or a new approach to eek out more efficiencies in your business processes has a technology component.  The right combination of technology and business growth strategy can be a powerful propellant for your business.   However, each element of that combination has an underlying current of risk.  Hence at some point, the conversation of appetite will arise – what is the right balanced diet of risk to drive growth without becoming unhealthy.


This balance hinges on an understanding of the levels of tolerance within the organization.   Even without specifically talking about risk appetite, organizations (or the people running those organizations) inherently have some sense of what is acceptable and what is out of bounds.  Does your technology organization rush to implement the latest operating systems or versions of applications?  What is the lead time it takes to upgrade hardware? Risk appetite and tolerance is woven into operational processes in many ways – it just isn’t called out explicitly. In some instances, though, it is very much a part of an operational process such as patching high risk vulnerabilities quickly.


The point is that a Cyber Risk Appetite as a concept is an inherent part of managing technology today. Current security and risk programs must establish a dialogue on appetite and tolerance between technologists and the business.  Since today you cannot separate business and technology risk, building a view of what the balanced diet needs to be must cross the entire spectrum of cyber risks. Hence the discussion of Cyber Risk goes beyond the conversation of pure cybersecurity threats.   The malicious outsider is a well discussed topic – and rightly so.  But for today’s executive discussion, the conversation must also include additional elements of cyber risk.  The challenge is for the business people to clearly understand where cyber risk plays a role in the business strategies and the technology people to connect the risks to the business to the technology efforts.  Connecting these two elements of risk though can be a significant struggle for many organizations. 


Establishing what your Cyber Risk Appetite is journey of maturity within the organization.  Right now, most likely there is already a sense of what is acceptable and what is not.  In some organizations that discourse may be an integral part of your risk approach.  If it is not, raising that conversation above the sub-conscious to become a part of the ongoing dialogue between the risk management and business segments of your organization will fuel better decisions as your organization balances out its diet and deals with that gnawing hunger for growth.

Filter Blog

By date: By tag: