As you evaluate and consider methods to improve your business’s or your clients’ security posture, it’s important to first understand risk appetite. Risk appetite measures how much risk your business can stomach before the potential outcomes of said risks outweigh the cost savings of leaving them unaddressed.
To help you determine risk appetite, we’ve created a calculator you can use to see where you stand and what you need to do to protect yourself.
First, you need to understand what exactly is at risk. Identify and list the key risk categories relevant to your business. These can include common drivers like:
You will also need to list down any others specific to the business based on industry, customer base, future goals, and more.
Next, define how any interruptions to your categories will affect your business and its ability to operate. Assign a rating, 1-5, to represent the potential impact of each risk category, with 1 being minimal, and 5 being critical.
With impact established, now it’s time to estimate how often each risk category may be affected. Using a similar scale to before, assign a rating, 1-5, to represent the likelihood a risk category will be interrupted, with 1 being rare and 5 being frequently.
These two scores above consist of your organization’s overall risk score. You find it by multiplying the impact score by the likelihood score for each risk category. (Risk score = Impact x Likelihood)
The next step is to determine risk appetite levels for each risk score range. Building off the 5-point scales from previously, your levels will range from 1 to a maximum of 25. This step will largely depend on your business objectives, industry regulations, stakeholder expectations, and the severity of specific risk categories. For example, you might assign:
Again, this is largely dependent on your specific business, so feel free to tailor the ranges based on your understanding of the business at large.
Sum up the risk scores from step 4 across all risk categories to obtain your organization’s total risk score. This represents the overall potential risk you face, including both severity and frequency.
Compare the total risk score level against the defined risk appetite levels in step 5 to determine the business's overall risk appetite.
If your risk score level outweighs your baseline risk appetite, you have a low risk appetite and should consider investing in improving your approach to security starting with PPT (people, processes, and technology).
If the opposite was the case, with your appetite outweighing your risk score, you have a high risk appetite and can continue operating as you are, or even seek out ways to streamline. It must be noted, however, that just because your organization feels it can take on more risk, it is not safe from cyberattacks.
Now that you have established your scores and compared them to the baseline, you have determined your risk appetite. The job is not done, however. As your business evolves and changes, so will your risk categories and tolerance. Adjust the risk appetite levels and scoring criteria to reflect your business as it changes, as you may find yourself less tolerant of risk as you mature the business and its security posture.
With this calculator, businesses can quantitatively assess and calculate their risk appetite based on the assigned scores for impact and likelihood. The approach helps provide a clearer understanding of the organization's risk tolerance levels and facilitates informed decision-making regarding risk management strategies and resource allocation.
If you’ve found that your risks outweigh your tolerance for them, Todyl can help. Our product is backed by decades of cybersecurity experience, so you can effectively address your risk vectors and defend them from new and evolving threats. Contact us to learn more.
