Defining an appropriate Cyber risk appetite is a key to success for Financial Services Organizations. Authors: Reto Aeberhardt, Marc Minar 


What do you think: How much Cyber risk is your organization willing to take? One of the obvious first thoughts is: none. But are you absolutely sure? Because in today’s highly connected world that would mean it is almost impossible to operate. There is always an inherent Cyber risk being connected and digital.

Companies in the financial services sector work in a digital ecosystem, which is necessary as clients expect to securely access services from everywhere in the world at any time.  Therefore top management is challenged to define an appropriate Cyber risk appetite and related Cyber risk tolerance in line with the business strategy and in compliance with regulation and law.

When done well, defining Cyber risk appetite establishes internal boundaries for prudent decision making, balanced risk taking, highly efficient governance and business enablement.

The obvious key question for management is how much cyber risk an organization is willing to assume to achieve its strategic objectives and business plans. 

Cyber risk, risk appetite, risk tolerance – what the terms mean 

However, there is often a lack of a clear and consistent definition of terms. To avoid confusion, the definitions below should help to achieve a common understanding:

  • Cyber risk is the risk of financial loss, disruption of activities, impact on the company’s image or of its reputation as a result of malicious and purposefully executed actions. Cyber risks may have an impact on the confidentiality, integrity, and availability of information systems and related data.
  • Cybersecurity is the combination of technologies, processes and methods to protect networks, computers, programs and data against attacks, damage and unauthorized access by external parties. Consequently, Cybersecurity encompasses the holistic consideration of measures for the identification of, protection against, detection of, response to and recovering after Cyberattacks.
  • Risk capacity surrounds the risk appetite and indicates the boundary. It is the maximum amount of risk that the organization can take to remain viable. Capacity is not always a “single number but rather a qualitative factor”; it will vary across risk types, business units and strategic scenarios. Discussing capacity is, in itself, a useful activity in considering how the organization could fail.
  • Risk appetite is the aggregated level of risk an organization is willing to assume (within its risk capacity) to achieve its strategic objectives and business plans. It is a “range” as opposed to a target.
  • Risk tolerance is the maximum risk the organization is willing to take for a particular strategic objective, KPI or category of risk. Exceeding a risk tolerance will typically act as a trigger for corrective action at the executive level, immediate notification to the board, and a detailed review of the underlying causes of the high risk exposure or significant variation from expected performance.

risk 1

The gap between risk capacity and risk appetite is called the buffer. The buffer should consider the possibility of very extreme outcomes and errors in assumptions, analysis and modelling.

But why is it important to define Cyber risk appetite? 

The definition of a well deliberated cyber risk appetite and cyber risk tolerance in line with the business activities and the strategy is key to the success of a firm – as it helps to better understand what markets they want to be in and what kind of business they don’t want to be in – considering business opportunities, risk and cost of risk management and Cybersecurity. The organizations business strategy should be aligned with the risk appetite and risk capacity, which sets the boundaries.

An organization must be able to bring together a transparent overview of risks and the costs of the risks. Aside from a cost perspective a risk tolerance framework allows the business to allocate and optimize resources risk-based and provides areas to focus on. Organizations gain an understanding about the firm-wide alignment of risk and business opportunities, which leads at the end to a better decision-making process.

Collect, establish, define, monitor: The four phases of defining Cyber risk appetite

To define the Cyber risk appetite and tolerance, EY has developed the following four phase based approach:

risk 2

  1. Collect information and review the existing risk framework

We start with the collection of information and reviewing existing organizational frameworks. It is crucial to gather relevant information of definitions already used in the organization for various risk terminologies in order to find a common ground. Therefore, we typically work closely with enterprise risk stakeholders such as the CISO, CRO CIO and the business.

  1. Establish risk appetite principles and statements

In a second step, together with our clients, we develop risk appetite principles and help define the Cyber risk appetite and tolerance by conducting workshops. Our experience shows that conducting a workshops with key stakeholders is a very efficient approach to boost the development of these statements. 

  1. Define and validate risk appetite

With key representatives of the organization we verify the Cyber risk appetite and tolerance statements. In addition, we focus on the definition of risk metrics, such as Key Risk Indicators (KRI) and Key Performance Indicators (KPI), for a continuous monitoring of related risk to enable a better understating of Cyber risk trends. 

  1. Sustain and monitor risk appetite process

Together with the client, we develop governance principles to review the Cyber risk appetite and tolerance on a regular basis to be in line with the organization’s overall risk strategy.

Better understand your Cyber Risk appetite

For our clients, we provide guidance on the definition of the Cyber risk appetite and tolerance and support the definition of KRIs that should be in line with underlying KPIs and related controls. We can help you to define a holistic Cyber risk management framework, which fully integrates into an existing enterprise risk management framework and even support and advise you on Cyber risk reporting and metrics definition. Most importantly we help you to better understand your Cyber risk appetite and the appropriate balance between the level of Cybersecurity controls, cost of controls and accepted Cyber risks considering your strategic goals to enable business.

To find out more click here: