From the course: IT and Cybersecurity Risk Management Essential Training

What is IT risk appetite?

From the course: IT and Cybersecurity Risk Management Essential Training

Start my 1-month free trial Buy for my team

What is IT risk appetite?

- [Instructor] Risk appetite means knowing how much risk your organization is comfortable assuming. For example, here are a few broad approaches to setting risk appetite. An insurance company has a minimal risk appetite because it wants ultra-safe options that are low risk in exchange for a limited reward. But a national retailer may have an open risk appetite. It considers all potential options and chooses the one most likely to result in success, while also providing an acceptable level of reward. And a technology startup is likely to have a hungry risk appetite because it's eager to be innovative and take greater risks to achieve higher rewards. When it comes to technology, the IT risk appetite is rarely stated explicitly, but it usually follows the overall appetite of the organization. And this is one reason why insurance companies tend to purchase mature systems backed by large brands, while technology startups favor building their own solutions by writing code and integrating open source software along with best of breed cloud services. Sometimes an organization knowingly takes IT risks that are not aligned with their overall risk appetite. For example, the insurance company may need to migrate its core processing system to a brand new tech stack because the platform they've been on for years is going off support. But, they haven't done a system migration like this in 20 years and no one in the IT department has any expertise with these new technologies. This is a massive IT risk for them that must be very carefully managed. Other times, an organization may be unaware that its IT risks are very different than what they thought they had signed up for. The rise of ransomware, for example, has caught many organizations off guard and has caused lots of unexpected damage, both in terms of money and reputation. So when you're managing IT risk, pay attention to your organization's risk appetite. It's a great starting point for determining how much needs to be done to reduce IT risk down to an acceptable level.

Contents