Risk Appetite

Key to efficient management internally and MSP/Consultant/MSSP  3rd-party relationships is a well-understood Risk Appetite preference.  Without it, recommendations and proposals miss the mark and valuable time is wasted on proposals that are not likely to be accepted by management.

There is no "right" answer.  Only the answer that meets the company's needs.

Growing companies need to accept some risks that are unacceptable for their larger or more mature brethren.  The floor in accepting risk is set by compliance requirements.  A company that does not meet those minimums can not do business.

What does accepting risk mean in real terms?  For example, one control that appears in both the CMMC and NIST standards is to have escorts for visitors.

An organization may choose to accept some risk and head out to the neighborhood office supply store, buy a clipboard and some copy paper and keep a log of visitors and authorized escorts.  The control is implemented at minimal expense and is compliant, but may have some gaps, if not well executed.  Total Cost - less than $10.

Another company, one that is more risk-averse, may choose to buy a visitor badging system, complete with camera, printer, lanyards, and more.  Such systems provide visual confirmation of the escorted visitor, maintains a log, and makes it much harder for an authorized visitor to share a badge.  Typical costs: $1,500-$4,500.

A third company, also looking to provide Covid-19 temperature scanning may choose to provide a system that includes facial recognition for employees, ID scanning for visitors, and many more features at price that approaches $10,000 or more.

All of these responses are compliant.  Risk appetite informs us as to which type of solution will be appropriate for a given organization.  Without some clarity on risk appetite, the employee or vendor making the proposal is "flying blind" and likely wasting time on the way to right solution.

FutureFeed Observations

In preparing the Risk Appetite Scale and including Company Personality as part of the Company Profile, our staff has made some potentially useful observations.

Typical Risk-Averse Organizations and People

• • • Mature, profitable organizations
    • CEOs and other executives with fiduciary duties to outsiders (stockholders, board of directors)

Typical Risk-Averse Organizations and People

• • Young, fast-growing companies
  • IT Managers who feel they are evaluated by money saved through automation

Typically organizations are not at one pole or the other, neither are individuals.  However, what is clear is that good communication that aligns the team on Risk Appetite leads to more efficient organizations and less friction in decision-making.