Organisations often underestimate the importance of understanding risk appetite, tolerance, and capacity in their information governance framework. Most companies usually do this for one or two reasons. First, they fail to quantify the financial implication of their risk and second, they fail to measure how their company would cope if there were a potential breakdown of their systems.
But, it is good for us to foreground our arguments with foundational definitions of these terms. Risk appetite is the amount of risk an organisation is willing to take. For example, a marketing company employs a third-party company to supply them with contact details of individuals who they can contact for business. In this case, the business knows that accepting this risk is two-fold. On one hand, they would increase their potential to grow their business revenue and on the other hand, there is the potential for customers to oppose to that form of indirect marketing. The company weighs the risk of these leading to a breach and concludes that the risk is manageable. In this case the organisation takes the risk and thereby showcasing that they have a high-risk appetite.
Risk tolerance is always lower than risk capacity. This can be either equal to or greater than the appetite. In this case, stakeholders within the information governance team would base their decision making on the existence of evidence. For example, after a data mapping, the information security manager would determine, using a risk-based approach, what’s tolerable, logical, and meaningful to the overall business objective.
Risk capacity refers to the maximum risk an organisation can afford to take. In information governance, this is the area where business impact assessment plays its criticality. Imagine a bike seller who sells about one thousand bikes a day via his online portal. He notices that he sells at least, two hundred bike per hour. What happens if the server shuts down, how many minutes can the company be down for and what are the implications? On the surface, one notices that the company can lose money but when one digs deep into that process, what’s the capacity of the loss that can be taken? Can the company leave the business process down for almost three hours and what’s the maximum the company can accept? Here, most times, it is better to have a backup for critical systems and design the best approach in dealing with such events when they happen.
Risk appetite and tolerance in information governance need to be reviewed at regular intervals. The organisation needs to factor in new technology, business processes, organisational restructuring or changes in business strategy that may require the organisation to reassess their risk portfolio and reconfirm the risk appetite. If risk appetite and tolerance are not defined by senior management there tends to be a misunderstanding of most critical risk areas and quite often leads to organisations capturing and managing information risks like an after-thought. This process is key and must be embedded in the business systems for a company to create and maintain a healthy balance of risk and business development.