The first step to addressing the myriad types of risk that need to be managed in an organisation is understanding risk appetite and tolerance. ISACA has released two new resources that offer guidance in both areas: the Using Risk Tolerance to Support Enterprise Strategy white paper and Risk Scenarios Toolkit.
The Using Risk Tolerance to Support Enterprise Strategy white paper examines the definitions of risk appetite, risk tolerance and risk capacity, not only for risk practitioners but also for management. It contrasts risk appetite against risk tolerance and explores the range of tolerance and the use of tolerance limits and triggers. It also offers guidance on how to establish a risk tolerance framework and use risk tolerance measures to make decisions, as well as how to track, report and control risk tolerance.
The publication outlines several key benefits of risk tolerance, including:
- Provides structure to the conversation and communicating explicitly what is acceptable.
- Increases transparency of the risk management process, enabling stakeholders to better understand the enterprise’s risk position.
- Helps board of directors articulate appropriate levels of risk tolerance.
- Supports the communication of risk that matters the most to the enterprise as it pursues its strategic objectives.
“Many use risk-related terms interchangeably, which can lead to confusion among stakeholders and inconsistent implementation of risk management efforts,” says Paul Phillips, ISACA Director of Event Content Development. “It is important that risk practitioners, boards of directors, and managers are all on the same page regarding risk tolerance, risk appetite and risk capacity so they are able to make informed decisions on balancing risk with meeting business objectives while each effectively play their vital roles in risk management.”
Understanding risk tolerance is critical to practitioner risk management efforts. ISACA’s Risk Scenarios Toolkit offers a resource with 87 sample risk scenario templates that can assist in providing organisational engagement, analysis and structure to information and technology (I&T) risk. The templates, which are provided in Word documents that users can adapt to their unique needs, cover categories of risk, attributes needed to assess and respond to risk, the extent or scale, controls related to risk, and key risk indicators.
Some of these risk scenarios outlined in the toolkit include critical application software malfunctions, undocumented enterprise architecture, malicious insider, inadequate master data management, and pandemic outbreak.
“Detailed risk scenarios can serve to consolidate and structure important information used to communicate in the risk management process among different stakeholders and align plans with business goals,” says Lisa Young, senior metrics engineer, Netflix, and one of the lead developers for the Risk Scenarios Toolkit. “They can be a valuable tool in helping people involved across different teams and levels of leadership understand specific risk and potential business impacts.