By assessing your organization’s business risk appetite, you can also ensure that its cyber risk appetite is aligned to help achieve your overall corporate strategy.
That said, an organization’s risk appetite or tolerance can be difficult to measure, in part because business units in an organization may view the same risk differently. For example, an opportunity that looks attractive to sales may seem overly risky to IT. This can lead to inappropriate levels of risk control being applied to people, processes and technology.
Fortunately, models are available to help enterprises navigate this terrain. As part of the toolkit for Board members, the World Economic Forum has established guidelines to help boards define and quantify their organization’s risk tolerance, ensuring consistency between its corporate strategy and its cyber risk appetite. These include:
- Understanding the potential business impact of risk on both individual projects and business lines, as well as on the organization as a whole.
- Agreeing on risk appetite in light of shareholder, regulatory, customer and external perspectives, such as legal and regulatory considerations.
- Understanding how the balance between meeting business objectives on the one hand, and the operational cost and impact of cybersecurity on the other, is determined by risk appetite.
- Clarifying how the agreed-upon risk appetite should be applied to business decision making.
- Presenting the difference between agreed-upon risk appetite and actual risk tolerance on an annual basis.
Managing the cyber resilience element of enterprise risk involves engaging both IT and business leaders in an ongoing dialogue about balancing risk vs. opportunity in the context of the business strategy.
This proactive approach is more effective than simply reacting to the news media’s latest “cyber scare.” By using a structured management framework, an organization can ensure that all its leaders, at all levels, understand both the organizational risk position and the competitive advantage of true cyber resilience.
Read more in the position paper, “Managing Enterprise Risk in a Connected World.”
Author: Chris Moyer
Chris Moyer is the DXC Technology Chief Technology Officer for the business group and leads the DXC Mobility and Workplace practice. As the CTO, Chris leads a trusted group of technical advisors, providing technology roadmaps, applying innovation and governing solutions that deliver business outcomes for clients. As the leader of the Mobility and Workplace Practice, he is responsible for establishing the services portfolio DXC clients use as the window into their information – whether in an office or on the road. Supporting over 500 different clients and 6 million devices, the Practice provides CIOs with secure delivery of information assets to their organizations and customers. Chris Moyer is currently also working with Microsoft on a joint Go to Market strategy.