Risk appetite isn’t a term that comes up a lot in the security trade media. This is interesting, because understanding risk appetite is a crucial factor in developing acceptable security programs, communicating value, and aligning the function with the goals of the business — all of which are talked about in security circles all the time. So what is risk appetite?
“One definition is the limit of how much risk – in an absolute sense – you want to take,” said Gregory Niehaus, professor of Finance and Insurance at the University of South Carolina’s Darla Moore School of Business, during last month’s Next Generation Security Leader development program session. “An alternative view, one that I prefer, recognizes that you engage in risky activity because of the good results. We take risk because we expect a return.”
Companies prefer to have high return with low risk, said Niehaus, but it rarely works that way. “There is typically a tradeoff. If you want a higher return, you need higher risk. So risk appetite is our willingness to trade off risks for expected return.”
Niehaus shared three factors that tend to influence an organization’s risk appetite:
1) The risk appetite of its leadership. “There is evidence that the risk appetite of business leaders depends in part on their own experiences,” he said. “For example, CEO s who have gone through a bankruptcy in another organization may expend more on risk management. Their risk appetite may also be influenced by their executive incentives package. Stock options encourage greater risk taking.”
2) The organizational culture. The Security Executive Council has observed that corporate cultures come in a variety of flavors. Some common cultural styles are the All About the People culture (common in creative companies that prefer not to limit the freedom of employees), the Analytical/Logical culture, the Utilitarian culture (“Just get the work done”), and the Parental culture. The culture of the organization has a strong impact both on how the organization views and interacts with security, and on the risk/return tradeoff the company is likely to pursue.
3) The financial and economic focus on the firm and market characteristics. “Research indicates risk appetite is influenced by how close a firm is to financial distress, the importance of reputation to the firm, its ability to access capital markets, and investment opportunities,” said Niehaus.
Understanding risk appetite in general, and the risk appetite of your organization specifically, is helpful in developing strategy and forecasting organizational support for security initiatives. But more than that, it’s critical to building security’s credibility and influence within the business, said Tim Janes, CSO and Managing Vice President for Capital One. “If companies don’t take risks, they don’t stay in business,” he said. “Businesses understand the principles related to risk appetite. The problem is, many of them don’t think their security leaders do. If you don’t understand these concepts or demonstrate that you understand them, they don’t look at you as a partner in the business. They don’t see the value there.”
Janes remarked on the perception so many business have of security as the department of “no,” the department whose job appears to be blocking the rest of the company from taking advantage of opportunities or conducting better business. “Changing that mindset means gaining an understanding of risk appetite so you can speak to it,” he said. “Our mantra is now ‘We start at yes and work backwards from there’ – it’s a phrase I heard Jim Hutton at Procter & Gamble use, and it’s been very successful here. The businesses understand they can bring us to the table because we will help them find the right solutions and inform their risk appetite, but we’re not just going to say no.”
Risk belongs to the business, not to security. The business decides what risk it is willing to take in order to gain the returns it desires. The security leader’s role is to make sure businesses are fully educated on the risks they face and to help them to figure out ways to manage or reduce risks outside their appetite.