Speaking at RSA Conference 2019 on ‘Defining a cyber-risk appetite that works,’ Jack Jones, chairman of the FAIR Institute, discussed the need to create a risk appetite, and how to identify what you need a risk appetite for.

He said that having a risk appetite “depends on your situation” and this is not a static thing, and can change and can still be a useful tool in risk management.

Highlighting comments on why you need to bother with a risk appetite, Jones said that it can:

  • Provide clarity in expectations
  • Improve focus in risk management efforts
  • Improve communication with stakeholders
  • Reduce the likelihood of unacceptable loss

Jones said that companies need to determine what an unacceptable loss is and this can be one that can be based upon choosing a scenario on what your organization does.

He said: “What is the loss or event scenario you care about: maybe it’s disclosure, outage, non-compliance or financial mis-statement – it could be all of them, and by defining distinctly you could define it and manage risk appetites.”

Jones encouraged “drawing a line in the sand” and used the example of losing no more than one million customer records, and to…

Read More…

Обучение для риск менеджеров