Cyber Matters: It’s Time to Decide What Kind of Risk is Acceptable


by Rob Sloan, cybersecurity research director, WSJ Pro

When executives are asked what data they are prepared to lose, many respond saying they will not accept the loss of any data. The sentiment is noble, but this is not the right answer. Instead, executives and boards should agree on acceptable levels of cyberrisk across an organization, and begin by setting the risk appetite.

Outside of highly regulated industries, too few companies currently have internally defined and agreed upon their risk appetite. As such, they are not in a position to adequately examine their preparedness for cyberrisks.

“In a perfect world, an organization would develop their risk appetite framework ahead of building out their broader risk management program,” said Brian Schwartz, U.S. internal audit, compliance and risk management leader at PricewaterhouseCoopers LLP, adding that most organizations do not operate this way. “At the end of the day, the board and executive management should define and set the organization’s appetite to take on risk in the face of its strategic objectives.”

The risk appetite is meant to demonstrate the kind of protection, detection and response plans in place to ensure company operations are safe, and customer data is protected. While the plan will vary depend on the organization, the risk appetite is meant to protect brand reputation, and can help guide anything from product design and technology policies to business processes.

According to Mr. Schwartz, an effective risk appetite framework “enables the organization to adjust risk management and make sure it stays relevant.”

Anyone Can Do It

The process begins with a discussion with management about what the organization is seeking to achieve over the medium-term. Each discrete part of the strategy will have a set of associated risks. Cyberrisk–including threats to the confidentiality, integrity and reliability of corporate data and networks–should be a key priority.

“Once the risk appetite statement is approved, communicated and leveraged by the organization, it is important the company revisits it periodically,” said Mr. Schwartz.

One prerequisite is that both the management and board accept that completely eradicating cyberrisk is not possible.

Mr. Schwartz encourages organizations to review the statement on an annual basis and “after certain triggering events” including business model shifts, major risk events, changes in strategic priorities, new leadership and others.

“A great step in prioritizing cybersecurity efforts is to set the cyberrisk appetite,” said Kimberly Johnson, executive vice president and chief risk officer at the Federal National Mortgage Association, known colloquially as Fannie Mae. “It can be a challenging process, since most companies are reluctant to accept any cyberrisk at all.”

And Then What?

With a risk appetite statement in place, the next task is to set the risk tolerance with quantitative or qualitative parameters. These can be changed over time, either as the risk evolves or as operational requirements dictate. There is no right or wrong level, so long as the stakeholders are aware.

“Risk managers must work closely with their boards and focus on strategic risk, mitigating emerging threats and optimizing opportunities,” said Nicola Crawford, chair of the Institute of Risk Management, an education organization. “Risk management must not simply become a back-office, compliance function.”

Ms. Crawford added that an effective risk framework could be a boon to businesses.

For example, law firms have a low risk threshold for data security because of the devastating impact a hacking incident could have on a firm and its clients. Creating a highly monitored environment with strict access controls–and communicating those defenses to clients–may help drive new business from clients who demand heightened levels of security.

“Some risks are an opportunity as well as a threat,” according to Ms. Crawford. “The skill is being nimble enough as an organization to identify these accordingly.”

(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors. For more information about WSJ Pro Cybersecurity please visit