Risk Acceptance At The Executive Level
This article was originally published by ISACA's The Nexus on July 11, 2016
By Jack Jones
Many organizations have a process in place whereby executives are authorized to accept risk (i.e., make decisions that expose the organization to unusual amounts of risk). The truth of the matter, though, is that virtually every business decision has some effect on the organization’s cyberrisk posture, for example:
- Every new hire introduces someone into the organization who will be making decisions and taking actions that frequently have an effect (for good or ill) on the organization’s cyberrisk posture.
- Every new product or service will invariably rely, to some degree, on the organization’s technology and information resources, which affect the organization’s exposure to cyber-related loss.
- Every acquisition of, or merger with, another company introduces technology and processes that change the organization’s risk posture for better or worse.
When these decisions are aligned with the organization’s policies and standards, it is generally assumed that the level of risk is acceptable and, therefore, no explicit risk acceptance is required. However, when decisions are required where one of the options is to operate outside of the organization’s defined policies and standards, the risk owner is (or should be) on the hook to explicitly and formally decide whether the additional risk the organization is being subjected to is acceptable. This formal acceptance makes the decision maker accountable for that decision and its effects.
The topic of identifying who should own risk within an organization is more involved than can be fully covered here. Briefly stated, the owner(s) of risk (whether cyberrisk or some other form of risk) should be the executive(s) who will end up covering the losses if the risk (a loss event) actually materializes. With very rare exceptions, this means that business executives should be responsible for accepting risk, rather than the chief information security officer (CISO).
The owner(s) of risk (whether cyberrisk or some other form of risk) should be the executive(s) who will end up covering the losses if the risk (a loss event) actually materializes.
This runs contrary to how many organizations operate, where the CISO is expected to accept, or co-accept, cyber-related risk. This responsibility is misguided for at least two reasons:
- The CISO is not in a position to cover the losses from an event.
- The CISO does not understand the complex combination of organizational objectives (e.g., growth, cost management), resource constraints, operational needs and other forms of risk to be managed—all of which are necessary in order to make a balanced decision.
Instead, the CISO’s proper role in the risk acceptance process is to ensure that the risk owner and other stakeholders clearly understand the amount of risk being accepted, as well as their alternatives (e.g., control opportunities and their expected cost and efficacy). The CISO’s signature on the risk acceptance form should hold him/her accountable for providing accurate and meaningful information to the decision-makers. That signature should not, however, hold the CISO accountable for the business choice that is made.
This approach to risk ownership also helps to ensure the appropriate level of involvement by executives in the organization’s risk posture. That said, concerns are often raised by cyberrisk professionals that “the business will accept any amount of risk.” In my 10 years as a CISO, this has never been the case when risk is measured and communicated in terms that are meaningful to executives.
Is one of the foremost authorities in the field of information risk management. As the chairman of the FAIR Institute and the cofounder and executive vice president, research and development, at RiskLens, he continues to lead the way in developing effective and pragmatic ways to manage and quantify information risk. As a three-time chief information security officer with forward-thinking institutions such as Nationwide Insurance, Huntington Bank and CBC Innovis, he received numerous recognitions for his work including: the ISSA Excellence in the Field of Security Practices award in 2006; a finalist award for the Information Security Executive of the Year, Central US in 2007; and the CSO Compass Award in 2012, for advancing risk management within the profession. Previously, his career included assignments in the military, government intelligence and consulting, as well as in the financial and insurance industries. Jones is the author of FAIR, the only international standard VaR model for cybersecurity and enterprise technology. A sought-after thought leader, he recently published Measuring and Managing Information Risk: A FAIR Approach, which has been inducted into the cybersecurity canon as a “must read” within the profession, and is a regular speaker at industry conferences.