Accurately and objectively assessing risk tolerance (i.e., "risk appetite") is one of the first and most important...
tasks in formalized risk management approaches. And while many aspects of risk management can be complex, risk appetite is quite the opposite. At its core, all it means is that some organizations are more willing to take risks, while others are less so.
To understand this in practice, consider the analogy of retirement planning. When people are young, they generally favor high-yield investments that carry above-average risk, because they have time to recoup losses over the long term. When earning years are fewer and people approach retirement, they transition to more stable, lower-yielding investments. The dynamics in this case are straightforward: Financial risk tolerance is proportional to remaining earning years.
You may be able to tolerate a higher level of risk if you have a clear understanding of your ability to track, manage and react to those risks over time.
But this analogy also implies something else about risk appetite -- namely, that it isn't one constant value. Consider someone tolerant of certain calculated risks in one area of his or her life: Maybe a person enjoys extreme sports like skydiving or mountain climbing. Does that mean he or she should change his or her retirement strategy? Should this person, for example, eschew the stock market in favor of a Vegas casino, or enter into a highly speculative hedge fund right before retirement? Of course not. It might even be smarter for this person to be less risk tolerant with finances because of the extreme sporting (perhaps to keep some savings available in case of an injury). The point is that someone might be risk tolerant relative to certain types of risks, and less risk tolerant relative to others.
What is cloud risk appetite?
"Risk appetite" for organizations works the same way. An organization might be willing to take on certain kinds of risks (say, for example, business risks) but be more guarded about others (for example, technology risks). Alternatively, even within the same risk category, it might be more tolerant in one area versus another. For example, an organization might be liberal with risks associated with employee desktop use, but more conservative when it comes to payment or financial systems.
From a practical standpoint, what this means is that it can be advantageous for an organization to evaluate risk tolerance relative to certain areas in isolation -- specifically, areas that have unique requirements, are new or haven't been evaluated before, or that are emerging or rapidly changing. Evaluating these separately allows two things to occur. First, it allows "off-cycle" risk management (including analysis and mitigation) without the company having to reassess risk everywhere -- a potentially time-consuming activity that may need to be repeated. Secondly, it allows flexibility, because relatively immature technologies are likely to evolve quickly as threats emerge and as supporting technologies mature.
Cloud computing is one of these areas: It's relatively new (at least in terms of adoption at many organizations) and has a few unique properties that affect risk (we discussed some of those properties in detail in a related tip). Because cloud technology is rapidly evolving, new threats are emerging; and as regulatory interest in cloud is expanding, understanding the organization's tolerance to risk in this specific area is advantageous. This focused understanding of the organization's tolerance for risks related specifically to cloud is what we're referring to as "cloud risk appetite."
Assessing tolerance for cloud risk
So, how does an organization assess its cloud risk appetite? Several factors need to be considered. First and primarily, consider the risk tolerances of other business, financial and technology areas because these will tie back to the culture and goals of the organization as a whole. There are any number of cultural, regulatory and business-specific factors that can influence an organization's risk appetite overall -- and will consequently impact how it approaches the cloud. If an organization has already undertaken a risk management exercise, it's almost certain that these items have been evaluated and are codified somewhere. Drawing on these artifacts saves the hassle of reinventing the wheel.
If your organization has never undertaken any systematic or formalized risk management, this evaluation becomes somewhat challenging. You'll need input on the organizational tolerance for risk in broader terms -- but artifacts to draw upon that document them might not exist. As a consequence, you'll need to do enough of this work to be able to inform your activities, but note that fully evaluating every area or gaining director-level sign-off of your assumptions probably won't be in the cards.
Secondly, you'll need to understand your own technology strategy. Are you planning to shift most of your operations to the cloud? Are you planning to selectively make use of cloud in a very limited way? Questions of this nature will influence the amount of risk that your organization will be willing to take on in the cloud, particularly in light of the cultural factors you analyzed in step one. For example, if you're heavily committed to cloud as a long-term strategy but your organization is one where external perception is important, you might paradoxically be less willing to tolerate cloud risks in the short term than otherwise. Why? Because a highly visible attack could erode organizational confidence in cloud computing in the long term and therefore jeopardize your long-term strategy.
Lastly, the personnel and technology support that you can expect as you roll out cloud computing should be evaluated. For example, can other areas of the organization (e.g., compliance, counsel and audit) assist with risk evaluation, threat monitoring, ongoing operations, vetting of providers, etc.? Can you employ technical strategies to keep tabs on threats, vulnerabilities and other factors that present risk? You may be able to tolerate a higher level of risk if you have a clear understanding of your ability to track, manage and react to those risks over time.
Once you've evaluated these areas, the next step is to document your cloud risk appetite formally. That means write it down and communicate it to the organization. Formalizing it in a written document helps make sure all aspects are thought through and well vetted -- and publishing can help other areas of the organization act in keeping with what you've determined. It's less likely that a business unit would engage in a "below the radar" cloud deployment if they've just read a statement from you about how low your risk tolerance is and why.
About the author:
Ed Moyle is currently director of emerging business and technology for ISACA. He previously worked as senior security strategist for Savvis Inc. and as senior manager with CTG. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.