Key Risk Indicators: Risk Tolerance Vs Risk Appetite

As Abhijit Naskar said in Vatican Virus: The Forbidden Fiction, “The only way to maintain privacy on the internet is to not be on the internet.” Strangely enough, romantic fiction hit a bull's eye on the topic of the Internet.

However, organizations can't carry out a successful business in isolation, and therefore, they must be on the Internet. Being on the Internet comes with risks. Every organization is keen on maintaining risk registers and building effective risk management processes.

So how much risk should an organization take, and how much should it spend on security without risking overkill? It all depends on the risk tolerance and risk appetite of the organization. So let's do a deep dive and understand what risk tolerance and risk appetite are.

What is risk appetite?

Cyber risk appetite is the level of risk an organization is willing to take on cyber threats in order to achieve its objectives.

For example, Marriott Hotel's database has been breached multiple times. But is it enough for the hotel chain to stop maintaining guest lists? Similarly, there are numerous legal suits due to data breaches in organizations. Are they going to scare you from collecting and using customers' data? Yes, you must do everything to keep your customers' data safe. But how much is too much?

Defining risk appetite is the key to a successful enterprise risk management (ERM) policy. In addition to the organization's risk appetite, ERM includes how an organization communicates and responds to the risks.

An organization must share its risk appetite with all its employees and address it regularly to stay within acceptable boundaries.

The four phases of risk appetite are:

What is cyber risk tolerance?

Risk tolerance refers to the degree to which an organization is ready to deviate from the risk appetite to achieve other goals. It is a tactical idea implemented to analyze the given opportunity and compare it with the risk appetite stated in its policies.

Depending on the industry in which organizations work, risk tolerance will differ for each.

For instance, the risk tolerance of a hospital dealing with the personal health information (PHI) of the patients will be much lower than a grocery store that has customer preference data.

Exceeding risk tolerance will result in immediate action from higher management as the organization is exposed to higher risk.

What is cyber risk capacity?

Risk capacity is the highest risk an organization can afford to remain viable. Normally, no organization will go beyond its risk capacity and survive. Risk capacity will vary across business units under different scenarios. Risk capacity can indicate the ways in which an organization can fail. It answers our question – how much is too much?

While risk tolerance is the risk associated with specific goals, risk capacity is for an organization's long-term and short-term goals. In the cybersecurity world, high-risk capacity doesn't equal high returns, as is the case in the financial world.

Risk appetite vs. risk tolerance

Even though they are often used interchangeably, risk appetite and risk tolerance are two different concepts. risk appetite is the measure of how much risk an organization is willing to take, whereas risk tolerance is the capacity of an organization to pursue a risk for strategic outcomes.

The following table shows the difference between risk appetite and risk tolerance.

Risk appetiteRisk toleranceRisk appetite is a broader concept that defines the company's risk management activitiesRisk tolerance compares opportunities with risk appetiteRisk appetite is the ability or willingness of the organization to take risksRisk tolerance is the degree of deviation that the organization is willing to accept from its risk appetiteRisk appetite is defined in range rather than a specific number Risk tolerance is one specific number This applies to setting strategic goals for the businessApplies to the opportunity and the deviation from the plan

How is risk measured?

Risk appetite and risk tolerance require appropriate measuring of risks. Risk can be measured using various quantitative and qualitative methods, depending on the nature of the risk and the available data.

Probability and impact assessment

This method involves assessing the likelihood or probability of a risk event occurring and the potential impact or consequences if it does occur. Probability can be expressed as a percentage or a frequency, while impact can be measured in terms of financial loss, operational disruption, reputation damage, or other relevant metrics. By combining the probability and impact assessments, a risk rating or score can be calculated to prioritize risks.

Historical data analysis

Analyzing historical data can provide insights into past occurrences of risks and their associated impacts. By examining patterns and trends, organizations can estimate the likelihood and potential consequences of similar risks in the future. This approach is commonly used for risks with well-documented historical data, such as financial risks.

Scenario analysis

Scenario analysis involves constructing hypothetical scenarios to evaluate the potential outcomes of specific risk events. Different scenarios are created based on varying assumptions, and their likelihood and impacts are assessed. This method helps organizations understand the range of possible outcomes and develop appropriate risk mitigation strategies for each scenario.

Risk surveys and questionnaires

Surveys and questionnaires can be used to collect subjective opinions and perceptions about risks from experts, stakeholders, or employees. Participants are typically asked to rate the likelihood and impact of various risks based on their knowledge and experience. The results are then aggregated and analyzed to identify common trends and prioritize risks.

Risk matrices

Risk matrices visually represent the likelihood and impact of risks using a matrix format. The likelihood is typically represented on one axis (e.g., low to high), and the impact is represented on the other axis (e.g., low to high). Risks are plotted on the matrix based on their assessed likelihood and impact, allowing organizations to prioritize risks based on their position within the matrix.

Quantitative risk analysis

In some cases, organizations can use statistical models, mathematical formulas, or simulation techniques to quantitatively analyze risks. This involves assigning numerical values to various risk parameters, such as probabilities and impacts, and using mathematical calculations or simulations to estimate the overall risk exposure or potential outcomes.

Expert judgment

Expert judgment involves consulting with subject matter experts or professionals who have specialized knowledge and experience in a particular domain or industry. These experts provide their assessments and insights on the likelihood and impact of risks based on their expertise. Their input can be valuable in situations where data is limited or unavailable.

What are Key Risk Indicators (KRIs)?

Risk related to an activity is measured in key risk indicators (KRI). KRIs are specific metrics or indicators used to monitor and measure the performance or status of key risks within an organization. They provide a way to track and assess the likelihood and impact of identified risks in a quantitative or qualitative manner.

KRIs are typically developed based on the organization's risk appetite and the specific risks it faces. They help in the early identification and proactive management of risks by providing timely information about the potential emergence or escalation of risks.

Calculating KRI benefits the organization in the following ways:

• Helps the organization to foresee the risk that can have a damaging impact on the business
• Finding loopholes in the organization's monitoring tools
• Continuous risk monitoring

Final word

Organizations must evaluate the risks and benefits of opportunities, people, and every other factor before entering into contracts. Cyber risks come into play when organizations use open networks like the Internet for communication.

In this day and age, it is not possible to carry out a successful business without going online. Therefore, organizations must consider their risk capacity, risk appetite, and risk tolerance to weed out excessively risky endeavors.

Scrut's effective risk management module is a one-stop solution for all organizations looking to automate their risk management process and streamline compliance. Schedule your demo today to see how it works.

FAQs

1. What are key risk indicators? Key risk indicators are responsible for defining and communicating the risk posture of the organization to its stakeholders. They help everyone in the organization understand the organization's risk management policies.

2. What is the difference between key risk indicators and key performance indicators (KPI)? A Key Performance Indicator (KPI) is a metric used to measure the performance and progress of an organization toward its strategic goals and objectives. KPIs are used to assess the effectiveness and efficiency of business processes, operations, and overall performance.
Key risk indicators (KRI) are responsible for defining and communicating the risk posture of the organization to its stakeholders. They help everyone in the organization understand the organization's risk management policies.
While both KRIs and KPIs are metrics used for measurement, KRIs are primarily focused on monitoring and assessing risks and vulnerabilities, providing early warnings of potential problems. KPIs, on the other hand, are focused on measuring performance and progress toward strategic goals and objectives.

3. What are the different types of KRIs? The different types of KRIs are:
1. Financial KRI
2. Operational KRI
3. Compliance KRI
4. IT security KRI
5. Reputational KRI
6. Market and competitive KRI
7. Environmental, Social, and Governance (ESG) KRI