Risk Appetite Learning Tool
 Overview: A key first step to developing and editing policies is to develop a high-level risk appetite statement. This tool will guide you through the key
aspects of developing a risk appetite.
 Context: Measuring risk appetite is particularly challenging due to the large number of stakeholders affected and the challenge of how to concisely define
and measure risk appetite. Though challenging, defining your organization’s risk appetite is critical to developing policies that successfully navigate the
tradeoff between risk and reward.
 Instructions: First, read the first two sections – ‘Setting the Anchors’ and ‘Incorporating Feedback from Middle Management’ – to understand how to use
the ‘Enterprise Risk Appetite Pulse’; second, customize the ‘Enterprise Risk Appetite Pulse’ to suite your organization’s needs; Third, set the plan in
motion by meeting with Senior IT Managers and Senior Business Managers.
© 2012 The Corporate Executive Board Company. All Rights Reserved.
Risk Appetite Learning Tool
Step 1: Setting the Initial Anchors Based on Senior Leadership
The first step in the calibration process is to anchor the indicators around the preferences of executives. The CISO should set these anchors to ensure that
the opinion of middle management does not stray too far from the wishes of senior leadership. To gauge the preferences of senior management, the CISO
should leverage the following:




Established security policies
Prior discussions with executives
Public statements by executives
Internal company statements by executives
Step 2: Collaborating Anchors with Middle Management
After the initial anchors are set, the CISO should meet with Senior IT Managers and Senior Business Managers in key business units throughout the
company. The goal is to balance executive preferences with the preferences of people on the ground in the operational environment. The process for
blending middle management preferences with those of senior executives works as follows:
Step #1—CISO meets one-on-one with Senior IT or Business Manager, presents an anchored copy of each of the indicators, and explains the meaning
of the indicator.
Step #2—Business or IT manager moves the anchor to a position based on their personal preference.
Step #3—After completing the process for all managers, the CISO averages the results and sets a final calibration for each anchor.
© 2012 The Corporate Executive Board Company. All Rights Reserved.
Risk Appetite Learning Tool
Taking the Pulse of the Enterprise
Note: Add, delete, or modify to suite your organization’s needs.
A. Risk Tolerance
Anchor
1. IT Risk Acceptance
Avoid Risks
2. Compliance Stance
Minimal
3. Reactive Versus Proactive
Only Consider Known Risk
Accept Risks
Zealous
Prepare for Emerging Risk
B. Risk Mitigation Accountability
4. Level of User Responsibility
5. Locus of Decision Making
None
All
Centralized Planning
Business Unit Planning
Private IT Infrastructure
Outsourcing Preferred
C. Technical Security Capabilities
6. Infrastructure Locus of Control
7.
Access Assurance
8. Oversight of New Applications
9. Surety of Products
Strong
Authorized Only
High Surety Top Consideration
Minimal
Unrestricted
Surety Not Considered
D. Infrastructure and Usability Preferences
10. Standard Versus Customized IT Infrastructure
Highly Customized
Highly Standardized
11. Technology Maturity
Mature Only
Leading Edge Preferred
12. Best in Class Versus Best in Breed
Best in Class
Best in Breed
13. Open Versus Closed
14. Vendor Risk
Source: CEB Information Risk Executive Council research; Case from ConocoPhillips
© 2012 The Corporate Executive Board Company. All Rights Reserved.
Closed Solutions
Established Vendors
Open Solutions
Any Vendor