Risk Appetite Learning Tool Overview: A key first step to developing and editing policies is to develop a high-level risk appetite statement. This tool will guide you through the key aspects of developing a risk appetite. Context: Measuring risk appetite is particularly challenging due to the large number of stakeholders affected and the challenge of how to concisely define and measure risk appetite. Though challenging, defining your organization’s risk appetite is critical to developing policies that successfully navigate the tradeoff between risk and reward. Instructions: First, read the first two sections – ‘Setting the Anchors’ and ‘Incorporating Feedback from Middle Management’ – to understand how to use the ‘Enterprise Risk Appetite Pulse’; second, customize the ‘Enterprise Risk Appetite Pulse’ to suite your organization’s needs; Third, set the plan in motion by meeting with Senior IT Managers and Senior Business Managers. © 2012 The Corporate Executive Board Company. All Rights Reserved. Risk Appetite Learning Tool Step 1: Setting the Initial Anchors Based on Senior Leadership The first step in the calibration process is to anchor the indicators around the preferences of executives. The CISO should set these anchors to ensure that the opinion of middle management does not stray too far from the wishes of senior leadership. To gauge the preferences of senior management, the CISO should leverage the following: Established security policies Prior discussions with executives Public statements by executives Internal company statements by executives Step 2: Collaborating Anchors with Middle Management After the initial anchors are set, the CISO should meet with Senior IT Managers and Senior Business Managers in key business units throughout the company. The goal is to balance executive preferences with the preferences of people on the ground in the operational environment. The process for blending middle management preferences with those of senior executives works as follows: Step #1—CISO meets one-on-one with Senior IT or Business Manager, presents an anchored copy of each of the indicators, and explains the meaning of the indicator. Step #2—Business or IT manager moves the anchor to a position based on their personal preference. Step #3—After completing the process for all managers, the CISO averages the results and sets a final calibration for each anchor. © 2012 The Corporate Executive Board Company. All Rights Reserved. Risk Appetite Learning Tool Taking the Pulse of the Enterprise Note: Add, delete, or modify to suite your organization’s needs. A. Risk Tolerance Anchor 1. IT Risk Acceptance Avoid Risks 2. Compliance Stance Minimal 3. Reactive Versus Proactive Only Consider Known Risk Accept Risks Zealous Prepare for Emerging Risk B. Risk Mitigation Accountability 4. Level of User Responsibility 5. Locus of Decision Making None All Centralized Planning Business Unit Planning Private IT Infrastructure Outsourcing Preferred C. Technical Security Capabilities 6. Infrastructure Locus of Control 7. Access Assurance 8. Oversight of New Applications 9. Surety of Products Strong Authorized Only High Surety Top Consideration Minimal Unrestricted Surety Not Considered D. Infrastructure and Usability Preferences 10. Standard Versus Customized IT Infrastructure Highly Customized Highly Standardized 11. Technology Maturity Mature Only Leading Edge Preferred 12. Best in Class Versus Best in Breed Best in Class Best in Breed 13. Open Versus Closed 14. Vendor Risk Source: CEB Information Risk Executive Council research; Case from ConocoPhillips © 2012 The Corporate Executive Board Company. All Rights Reserved. Closed Solutions Established Vendors Open Solutions Any Vendor