Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to determine your company's real risk appetite

David Geer | Feb. 27, 2013
In a 2012 customer survey conducted by the Corporate Executive Board (CEB), 70 percent of respondents said they do not have a formal risk-appetite approach in place. "Seventeen percent said they have something in place that is actually working," confirms Matt Shinkman, senior director of risk management research and advisory at the CEB.

Gray takes stakeholders through the risks associated with conducting the given type of business using a risk matrix. "We ask them whether a given exposure to risk is acceptable given the likelihood and severity of the risk," says Gray. Then the organization can decide how to address the risk.

According to Gray, at this stage stakeholders decide whether to tolerate, terminate, treat or transfer the risk. If the risk is acceptable, the company will not do anything about it. If the risk has changed or is unacceptable, the company will terminate it by ceasing those operations. Treating the risk means reducing the likelihood or impact of the risk, and transferring the risk means covering it through insurance.

Using Risk Frameworks

Security experts identify risk frameworks and methodologies with applications for ERM and risk appetite, recommended together with the proprietary methodologies that they use or see organizations using.

"About 40 percent of the companies we work with base their ERM on COSO, and another 40 percent base theirs on the ISO 31000. The other 20 percent use an ad-hoc or homegrown approach," says Shinkman. (Also read COSO for CSOs, an interview with framework co-author Richard Steinberg.)

The PricewaterhouseCoopers Americas Risk Transformation Practice uses its own distillation of industry practices rather than frameworks to guide clients to improve operational strategic performance by measuring their operational risk appetite. "Frameworks are not as valuable as our expertise and experience," Faris contends.

"Because we need a global methodology, we have our own standard that we call the Security Risk Assessment Methodology (our proprietary approach), which draws on others," says Gray.

Control Risks' methodology draws on a number of security frameworks from around the world; it is rooted in the ISO 31000 risk management framework (the successor to AS/NZ 4360) and lines up with ISO Guide 73 (vocabulary) and IEC/ISO 31010 (assessment techniques).

The Security Risk Assessment Methodology also uses parts of:

  • the API/NPRA Security Vulnerability Assessment [pdf link],
  • the US Department of Homeland Security FEMA 452 guide to conducting risk assessments,
  • a modified version of the Defense Department's CARVER target analysis methodology,
  • business impact analysis from BS 25999-1:2006 clause 6:2,
  • and the UK Home Office Scientific Development Branch's guidelines on developing operational requirements for security


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.