Carey explores this important aspect of business continuity and
risk management programs.
Over six years ago, when I was starting
the US ERM practice for Ernst & Young, the partner I worked
for had a corporate finance background and continually encouraged
me to connect risk management principles to finance concepts. This
led me to develop, early on, concepts that would connect risks to
the financial value drivers of an organisation. In recent years,
this approach has evolved to include stakeholder value drivers as
well as inputs from Balanced Scorecard concepts. It has evolved
into a relatively clear way to articulate risk appetite in terms
that business managers can understand and incorporate into their
day-to-day management processes.
‘Risk appetite’ is a term
that is frequently used throughout the risk management community,
but it seems that there is a lack of useful information on its application
- outside of financial risk areas or other risks that can easily
be translated into financial terms. Risk appetite, at the organisational
level, is the amount of risk exposure, or potential adverse impact
from an event, that the organisation is willing to accept/retain.
Once the risk appetite threshold has been breached, risk management
treatments and business controls are implemented to bring the exposure
level back within the accepted range.
To define your organisation's risk appetite
and determine the acceptable level of risk, you should answer the
* Where do we feel we should allocate
our limited time and resources to minimise risk exposures? Why?
* What level of risk exposure requires immediate action? Why?
* What level of risk requires a formal response strategy to mitigate
the potentially material impact? Why?
* What events have occurred in the past, and at what level were
they managed? Why?
Each question is followed by a ‘Why’
because the organisation should be able to articulate the quantitative
and/or qualitative basis for the appetite, or it will come off as
backwards-looking (based only on historical events) or even arbitrary.
My company, DelCreo, has developed a
methodology and strategic approach that helps organisations, as
well as the security, risk and control functions contained therein,
develop and articulate their risk appetite. The key deliverable
in this process is the risk appetite table. An extract from a simple
example of a Risk Appetite Table can be seen at http://www.delcreo.com/delcreo/free/docs/RiskAppetiteTable.pdf
The Risk Appetite Table has three key
1. Impact table
2. Likelihood table
3. Risk appetite table
Recent changes in global regulations
that encompass security, risk and control implications have raised
the awareness around the concept of risk appetite, particularly
among the management team. Many organisations - from the board level
down - are currently struggling with risk management in general,
and understanding and implementing meaningful processes, metrics
and strategies in regards to risk appetite. The process we use to
articulate the risk appetite for an organisation or a function is
described in the sections that follow.
At first glance, the process we are describing may look like a typical
risk mapping exercise; in fact, this exercise should be applied
to risks previously identified in a risk mapping project. The manner
in which you design your appetite and implement follow-up risk management
processes will carry business continuity, incident management, business
management and strategic implications that go far beyond a risk
The first step in developing your organisation's risk appetite is
to identify who the key stakeholders are. Stakeholders can be any
person, group or entity that can place a claim on the organisation's
attention, resources or output, or is affected by that output. Stakeholders
tend to drive decision making, metrics and measurement, and, of
course, risk appetite. They may be internal or external - don't
neglect stakeholders that have a direct impact on your salary and
performance reviews! Once stakeholders have been identified, list
the interests, benefits and outputs that stakeholders demand from
your organisation, such as:
- Shareholder value
- Compliance with regulations
- Product safety
- Privacy of personal information
The interests, benefits and outputs that stakeholders demand are
often defined at a high level, making it difficult to articulate
direct impacts your function has on the outcome. For example, shareholders
are interested in increasing shareholder value. It is difficult
to know that you are directly impacting shareholder value with a
particular risk management activity. However, by managing costs
effectively and reducing the number of loss events, you can be assured
to positively impact shareholder value. Ultimately, business and
function strategies are designed with the intent of creating value
for key stakeholders. Value drivers then, are the key elements/performance
measures required by the organisation to meet key stakeholder demands;
value drivers should be broken down to the level where they can
be managed. You should identify potential value drivers for each
key stakeholder group; however, seek to limit the value drivers
to those that your security, risk or control program can impact
in a significant way. The core element of the risk appetite table
is determining how you will describe and group potential impacts
and the organisation's desire to accept those impacts.
The Balanced Scorecard approach provides
one method for identifying value drivers. This describes a process
or framework for articulating strategies that create value. The
Balanced Scorecard approach was developed by Robert S. Kaplan and
Robert D. Norton and is an approach used by many organisations around
Key risk indicators
Key risk indicators are derived from the value drivers you have
selected. Identification of key risk indicators is a three step
1. Identify and understand value drivers
that may be relevant for your business or function. Typically this
will involve breaking down the value drivers to the level that will
relate to your program.
2. Select the key risk indicator metric to be used.
3. Determine appropriate thresholds for each key risk indicator.
Value driver breakdown:
* Increase Revenue
* Lower Costs
* Prevent Loss of Assets
Key risk indicators:
Increase Revenue - Lost revenue due to business interruption
Lower Costs - Incremental out-of-budget costs
Prevent Loss of Assets - Dollar value of lost assets
Incremental out of budget cost:
Level One Threshold 0-50K
Level Two Threshold 51-250K
Level Three Threshold 251K-1M
Level Four Threshold 1M+
One of the more challenging aspects of
defining your risk appetite is creating a diverse range of key risk
indicators, and then level-setting each set of thresholds so that
comparable impacts to the organisation are being managed with comparable
attention. For example, how do you equate a potential dollar loss
with the number of customers unable to receive customer support
for two days? Or even more basic, is one dollar of lost revenue
the equivalent of one dollar of incremental cost?
It is equally important that you carefully
consider how you establish your thresholds from an organisational
perspective. You should fully consider whether you are establishing
your program within the context of a single business unit, a global
corporation, or from a functional perspective. Each threshold should
trigger the next organisational level at which the risk needs to
be managed. This becomes an actual manifestation of your risk appetite
as risk management becomes more strictly aligned with management
and the board's desire to accept certain levels of risk. These thresholds,
or impact levels, should be commensurate with the level at which
business decisions with similar implications are managed. For example,
a risk appetite impact table being defined for the insurance and
risk financing program might be broken down as follows:
Threshold Level 1 - Manage risk or event within business unit or
Threshold Level 2 - Risk or event should be escalated to the insurance
& risk financing program
Threshold Level 3 - Risk or event should be escalated to the corporate
Threshold Level 4 - Risk or event should be escalated to the corporate
crisis management team or the executive management team.
The likelihood table reflects a traditional risk assessment likelihood
scale. For this example, it will remain simple.
Level 1 - Low probability of occurring
Level 2 - Medium
Level 3 - High
Level 4 - Currently impacting the organisation
There is a wide range of approaches for
establishing likelihood metrics ranging from simple and qualitative
(as in the example above) to complex, quantitative analyses (such
as actuarial depictions used by the insurance industry).
Risk appetite table
The risk appetite table helps an organisation to align real risk
exposure with its management and escalation activities. An event
or risk is assessed in the risk appetite table and assigned a risk
score by multiplying the impact and likelihood scores. Ranges of
risk scores are then associated with different levels of management
attention. The escalation levels within the risk appetite table
will be the same as the levels in the impact table. The actual ranking
of a risk on the risk appetite table will usually be lower then
its ranking on the impact table - this is because the probability
the risk will occur has lowered the overall ranking. Incidents or
events that are in process will have 100 percent chance of occurring;
therefore their level on the risk appetite table should equal the
ranking on the impact table.
Score between 1-4 - Manage risk or event within business unit or
Score between 5-8 - Risk or event should be escalated to the insurance
& risk financing program
Score between 9-11 - Risk or event should be escalated to the corporate
Score between 12-16 - Risk or event should be escalated to the corporate
crisis management team or the executive management team
RISK APPETITE: A PRACTICAL APPLICATION
The following section provides a practical application of the risk
appetite table. We will use the risk appetite of an information
security department for our example.
Determine the impact score
A vulnerability is identified in Windows XP Professional. Consider
the impact to the organisation if this vulnerability were to be
exploited. You should factor in your existing controls, risk management
treatments and activities including the recently implemented patch
management program. You decide that if this vulnerability were to
be exploited, the impact to the organisation would be very significant
because every employee uses Windows XP on the workstations. You
have assigned the event an impact score of 4 out of 4.
Determine the likelihood score
Consider the likelihood of the event occurring within the context
of your existing controls, risk management treatments and activities.
Because of the availability of a patch on the Microsoft website
and the recent success of the patch management program, you are
certain that the number of employees and, ultimately, customers,
that are likely to be impacted by the vulnerability is Low. You
assign a likelihood score of 2 out of 4.
Determine risk score and management
Simply multiply the impact score by the likelihood score to calculate
where this event falls on the risk appetite table. In this case,
we end up with a risk score of 8 and thus, continue to manage the
event in the information security patch management program. If at
any point, it becomes apparent a larger number of employees and/or
customers may be impacted then was originally thought, consideration
should be paid to a more significant escalation up the management
The risk appetite table is ONLY a risk
management tool. It is not the sole decision making device in assessing
risk or events. At all times, professional judgment should be exercised
to validate the output of the risk appetite table. Also, it is critical
that the tables should be reviewed and evolve as your program and
your overall business model matures.
Once you have completed the development
of your risk appetite table, there is still a lot of work ahead.
You need to do the following things:
* Validate the risk appetite table with your management team.
* Communicate the risk appetite table to business units, and your
peers within the security, risk and control functions of your organisation.
* Develop incident management and escalation procedures based on
your risk appetite
* Test your risk appetite table. Does it make sense? Does it help
you determine how to manage risks? Does it provide a useful framework
for your team?
Mark Carey is CEO of DelCreo,
DelCreo, Inc. is an enterprise risk management company
helping risk professionals develop and rollout successful risk programs.
I was fascinated by the article on risk appetite. However it is a little simplistic, focusing mainly on financial risk. We have a client that could well afford a cash loss of USD 300m, but a loss of USD 2m that reflected lack of control could result in a far more important impact on reputation, regulatory interference and a credit rating hit that would far outweigh the financial risk. We have another client whose 8 minute loss of service could cause financial losses of USD 1 billion - but the consequential credibility loss could put them out of business. A more holistic approach is essential.
IBM, HP, GM, Ford and countless others survived loss of profits - that, you can survive with the support of your bankers and financiers. Strangely, the most trusted organisations are not the government, the judiciary, the police, journalists - but the supermarkets. That is what enables them to diversify into non-food products including financial services. How many of us would buy a used car from a politician? Lose your reputation and you lose your business - whether as a government or as a burger bar.
Basically, the most important asset a company owns is image and reputation. This not only applies to the private sector, but also to the public sector.
Andrew Hiles FBCI MBCS, managing director, Kingswell International
UPDATED 5TH MAY 2005 •Region: US/World •Type:
Article •Topic: Risk
this article or make a comment - click