You’ve probably heard risk managers and accreditors bang on about having risk appetite statements but have you ever actually seen one? If you have, the chances are it was fairly bland and practically worthless. So, if you’re ever required to produce one, where on earth do you begin?
Guidance in HM Treasury Orange Book is worth looking at, as is HMG GPG 47 (if you can get hold of a copy) which contains some examples. However, you’ll find they’re not the best source of inspiration.
So, to get you started, we’ve put together some top tips for drafting risk appetite statements. Firstly remember that risk appetite statements are there to set boundaries within which a business can operate without exposing itself to unexpected exposure or cost. Risk appetite statements aim to get the balance right across the business:
1) Define risk appetite levels. You can devise your own, but the Orange Book defines five different risk appetite levels (Averse, Minimalist, Cautious, Open and Hungry) that can help get you started. However, these are meaningless unless expressed in terms that your business understands. Try to determine what these different levels really mean in the context of your business. As an example:
The Orange Book – Averse level
Avoidance of risk and uncertainty is a key objective.
What does this mean for your business?
Significant cost and effort will be made to avoid the risk being realised. Only systems and/or services with a proven security pedigree will be appropriate and then subject to rigorous and regular (through life) testing. There must be a high degree of certainty that the risk is unlikely to materialise and if it does, tested contingency plans will be in place that will limit the impact as much as is possible.
2) Make sure you understand the scope of the risk appetite. A single statement that tries to cover the whole organisation would be pretty meaningless. Risk appetite statements need to be focussed on specific information assets. Does the statement apply to the whole organisation, just one particular department or a single project or programme of work? If its not for the whole organisation, does one already exist that you can use as a starting point? There is no point in defining a risk appetite statement for a department to find it is contradictory to one at the organisational level. Project risk appetite statements may differ as projects generally bring about change which may require a different risk appetite than that already expressed. Make sure you have agreement of the scope before even starting.
3) Clearly identify the information that the business cares about to be included in the risk appetite statement. This may sound obvious but a clear definition of the information the business cares about will really help. Try not to be too all encompassing and instead put information into sensible groups that are likely to have different threats (those people interested in compromising the information) and impacts on the business if compromised in any way. Examples include:
- Sensitive Personal Data
- Non-sensitive Personal Data
- Sales targets
- Information relating to prototype “X”
- Information from customer “Y” (perhaps a government department)
4) Find an information security champion. You may think that the information is important but who in the business really cares? Find someone senior enough to be able to impress on the board how important the information is to the business. It may be the HR Director or the Senior Reporting Officer on a project. These people will act as your information security champions and will be key in determining the correct risk appetite level. When they are comfortable, you know you’ve got it right.
5) Whilst you have their attention make sure you understand why it is they care so much. Is it the confidentiality of the information that if compromised would have a negative impact on the business? If losing information to a competitor on the latest prototype “X” will significantly harm sales and jeopardise the existence of the company, then clearly this is more important than insisting on the information being available 24/7. So, ensure they consider all three aspects of information security – confidentiality, integrity and availability and decide which is the most important and why.
6) Figure out what has to be done to protect it. Now you know what information is in scope, who owns it and why they care, it’s time to figure out what has to be done to protect it. This is not about listing every single security control, it is more about providing definitive statements of expectation. This is where the risk appetite levels (Top Tip #1) come into their own. If they have been done correctly they should provide an excellent framework on which to build. The aim is to provide a set of boundaries in which to constrain risk at each of the different risk appetite levels.
7) Assurance is key. An organisation with a “hungry” risk appetite is not going to spend very much on security controls and even less on gaining assurance that they are working correctly. Conversely, an organisation with an “averse” level would want to have assurance that the controls they have implemented are working effectively. This may require regular testing or monitoring – all of which come at a price. The clever part is getting the balance right for each of the risk appetite levels. If you find the difference at each level is minimal then perhaps you need to reconsider how many risk appetite levels are appropriate for your organisation.
8) Are any security controls mandatory? For some information types there are legal and regulatory requirements that must be met. For sensitive personal information the risk appetite statement may require a Privacy Impact Assessment (PIA) in line with the Information Commissioner’s Office guidance. For information relating to credit card data, the risk appetite statement may stipulate that compliance with Payment Card Industry Organisation standards is mandatory. Other examples include compliance with contractual obligations, codes of connection or standards such as OWASP for web-applications that process information.
9) What are the checks and balances to determine that the boundaries are not being crossed? There is little point in having comprehensive risk appetite statements signed off at the board level if they are ignored. A governance process needs to be established that provides assurance that risks to information are being correctly identified and that controls are in place that support the risk appetite statement. The approach has to be proportionate but that proportionality is likely to be different for each of the risk appetite levels.
10) Publish widely. There is no point having a risk appetite statement that is ignored. It needs to be communicated across the organisation (including to sub-contractors and partners) so that those responsible for information assets are aware of the boundaries within which they should operate and their role in managing risks. Once published, statements must be reviewed regularly to ensure they remain current as the organisation develops.
We hope you found this article interesting and helpful. If you need any further guidance on risk appetite statements or any part of information risk management please contact the team at Ascentor.