Speaking at RSA Conference 2019 on ‘Defining a cyber-risk appetite that works,’ Jack Jones, chairman of the FAIR Institute, discussed the need to create a risk appetite, and how to identify what you need a risk appetite for.
He said that having a risk appetite “depends on your situation” and this is not a static thing, and can change and can still be a useful tool in risk management.
Highlighting comments on why you need to bother with a risk appetite, Jones said that it can:
- Provide clarity in expectations
- Improve focus in risk management efforts
- Improve communication with stakeholders
- Reduce the likelihood of unacceptable loss
Jones said that companies need to determine what an unacceptable loss is and this can be one that can be based upon choosing a scenario on what your organization does.
He said: “What is the loss or event scenario you care about: maybe it’s disclosure, outage, non-compliance or financial mis-statement – it could be all of them, and by defining distinctly you could define it and manage risk appetites.”
Jones encouraged “drawing a line in the sand” and used the example of losing no more than one million customer records, and to…