Risk appetite Cyber risk
Featured

7 approaches to setting risk appetite for cyber security

Liam Donovan
by Liam Donovan
5 min read
Nov 12, 2024

The vast majority of companies would consider cyber security a principal or “material” risk for the business, as it could have wide-ranging impacts on other elements of the organisation’s risk profile (e.g., data privacy) and its ability to operate.

It is perhaps unsurprising, then, that most large corporates set a specific level of risk appetite for cyber-related risks. The process for this, however, does vary between organisations.

download button
Download 7 approaches to setting risk appetite for cyber security
Get all the approaches in a summary table.
Download now

Based on a recent benchmark of large, multinational companies, we summarise 7 approaches risk leaders have taken to set risk appetite for cyber security:

Approach 1: Collaborative effort with CISO

There is some divergence between organisations in terms of who is responsible for setting risk appetite for cyber security.

One risk leader explained that they are involved in the process, working in partnership with the Chief Information Security Officer (CISO) and their team to agree the correct level of appetite.

To arrive at this appetite setting, the business’ ability to tolerate the financial impact of a cyber event (or several at once) is evaluated, as is the impact of business disruption and reputational damage owing to a cyber attack.

Risk appetite for cyber security: pulse check

A Risk Leadership Network member wanted to understand how other organisations are establishing a risk appetite framework for cyber-related risks. To support them, we created a benchmark which explored how 10 organisations are setting risk appetite for cyber security, and what indicators they are using, if any, to measure the risk relative to appetite.

risk appetite for cyber security: pulse check

Through in-depth interviews with risk leaders at 10 multinational organisations across multiple sectors, including telecommunications, technology and retail, we provided the member with a bespoke benchmark report on setting appetite for cyber security risks. 

This article is a high-level summary of 7 approaches shared in the benchmark. Find out more about the benchmark and request to see the full report.

Approach 2: CISO leads on cyber risk

At another organisation, risk appetite for cyber is proposed directly by the CISO, before being agreed with executive management and the board. The role of enterprise risk management, then, is to support the business to keep cyber risk within appetite.

Risk appetite in cyber is reviewed twice a year at board level and monitored on an ongoing basis by the IT team, who can advise on whether the business’ risk exposure is increasing or decreasing.

Approach 3: Risk appetite for cyber "domain"

Instead of setting appetite for specific types of cyber risk, e.g., data protection or cyber attacks, one organisation sets risk appetite at an overarching cyber “domain” level. This domain encompasses all of the business’ cyber-related risks.

The risk team uses a typical 5x5 impact / likelihood matrix to report an aggregated view of the level of cyber risk relative to the business’ appetite, which is set at “medium”.

Approach 4: Breaking cyber risk down into critical events

One organisation breaks down all principal risks – including cyber – into a series of critical risk events that may occur.

Events the business are “intolerant” to are identified and mitigated further. In a cyber context, this could be a cyber attack that causes a key system for the business to stop functioning for a prolonged amount of time.

Events that are less “business critical” are also highlighted, but the organisation accepts more risk for these, as there is less potential for the business to fail because of them.

Membership
Do you want to find out more about any of the approaches in this article?
For our members, we facilitate 1-to-1 virtual meetings with risk leaders who have implemented an approach they're considering.
Explore membership

Approach 5: Cyber risk appetite statement supported by metrics

In terms of how risk appetite for cyber security is captured, risk leaders in our network are taking different approaches. 

One organisation produces a specific risk appetite statement for cyber security. This describes the appetite qualitatively, but also reinforces it with metrics.

Around 15 risk-based indicators, representative of the business’ wider cyber risk profile, are used to set thresholds for risk appetite. We’ve included some examples of these metrics below:

  • Percentage of third-party cyber reviews completed

  • Number or percentage of simulated phishing emails clicked on

  • Percentage of critical vulnerabilities detected and reported using business' strategic tools
  • Insurance coverage for organisation in the event of cyber breach (yes/no)

  • Data loss prevention measures implemented (yes/no)

  • Percentage of systems covered by underlying recovery plans
  • Adherence of business to criteria in minimum maturity readings (e.g.NIST)

  • Completion of independent penetration testing (yes/no)
  • Number of cyber breaches experienced

  • Number of critical assets compromised

  • Mean time to detect cyber breach

Approach 6: Cyber included under risk appetite policy

An overall risk appetite policy (i.e., one document) sets out varying levels of appetite for themes of risk. Many of these themes align to the business’ material risks. For each theme – of which cyber is one – an average of 3 key risk indicators (KRIs) are set. 

Thresholds associated with these KRIs typically break down into three levels:

  • Accept – if the risk is within appetite;

  • Alert – if the risk is marginally outside of appetite; and

  • Act – if the risk has moved well outside of appetite.

In reporting, the progress of each theme is captured in the form of a four-quarter trend, which helps demonstrate to senior leadership how all risks, including cyber, are moving.

Approach 7: Using board surveys to set cyber risk appetite

One organisation sets risk appetite for cyber security at multiple levels.

First level: A high-level risk appetite statement for cyber security.

Second level: Metricise appetite by producing a target score for the risk – i.e., where the business should be. This is set by asking the board a series of appetite-related questions in a survey. Responses from the survey are used to set the target score.

Once this has been established, the current risk level is mapped onto the target score to show how far the business has to go to reach its objective. If there is a wide gap, actions to achieve the target score are identified and organised into a flight path the business can follow.

Next steps

While there is no agreed process for setting risk appetite across any category of risk – including cyber – the approaches summarised above give an idea as to how risk leaders are tackling this challenge.

For the member who raised this priority, we’ve facilitated a series of 1-to-1 virtual meetings with risk leaders who have implemented the approaches the member was most attracted to.

We’ll continue to facilitate collaboration, exchange peer insights and produce tailored benchmarks to support risk leaders on their immediate risk priorities, including appetite and cyber risk. 

To find out more how about we could support you with a specific challenge you're facing, please book an introductory call.
Previous post
← Setting risk appetite: 5 approaches from practitioners
Setting risk appetite: 5 approaches from practitioners
Risk appetite

Setting risk appetite: 5 approaches from practitioners

Oct 29, 2024 5 min read
How can risk appetite add value throughout the whole organisation?
Risk appetite

How can risk appetite add value throughout the whole organisation?

May 30, 2024 4 min read
How has risk appetite evolved in the past 3 years?
Risk appetite

How has risk appetite evolved in the past 3 years?

Jun 21, 2024 4 min read

Get new posts by email