Enterprise Risk Appetite Frameworks Should Include PAM


June 2022

By: Orhan Yildirim

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

They are being forced to weigh the pros and cons of security, for example, across a continuum. How many layers of security are too much? How many forms of multifactor authentication should be required, and at what point does security become so onerous it inspires employees, partners and even customers to find workarounds?

A modern Risk Appetite Framework is one that leverages software platforms and automation that simplifies operations while improving security levels. A modern Risk Management Framework supports conscious risk-taking that in turn supports more profitability through more productivity, while also addressing what could be catastrophic attacks or unintentional mistakes.

Risk appetite strategy is also being increasingly influenced by regulators who are driving more legislation to, for example, protect consumer privacy or protect public digital infrastructure.

The most robust and successful risk appetite programs are often found in banks and other financial institutions, where the stakes are incredibly high, but where the speed of business is incredibly fast. Trading, for example, moves in milliseconds, and profitable trading strategies often take advantage of making calculated risks (assisted by algorithms and other automated systems).

More and more enterprises and organizations are being asked to provide risk appetite assessments and plans to their Boards, and even shareholders, as the devastating consequences of large attacks are all too clear with financial damage in the hundreds of millions of dollars.

Having a risk appetite posture is no longer a “nice to do” – it is a “must do”.

During the last massive financial crisis in 2008, we learned the hard way that without the appropriate checks and balances provided by the Board and management teams, a culture of excessive risk-taking and leverage was allowed. 

Since then, a great deal of progress has been made by management teams and their Boards, who came to realize that they needed to be clear – crystal clear – on the organization’s capacity for risk-taking and in which areas and activities.

While operating in an environment governed, in part, by a risk appetite framework, may feel daunting, it can be made simpler by asking these ten logical questions:

  1. Where is our greatest risk?
  2. What elements within the organization are changing and how does that impact our risk posture?
  3. Where do we stand with digital transformation efforts and how are we protecting digital assets which are becoming the life blood of our business going forward?
  4. Who is responsible for setting risk tolerance levels and managing them?
  5. How are outside forces creating more risks (for example cyberattacks)?
  6. What is our position on internal threats and how are we managing those?
  7. When our risk policies are breached, what is our response and escalation plan?
  8. How quickly will we know and how skillfully can we quickly stop a potentially catastrophic event?
  9. Which departments contribute and how are those departments collaborating in planning, then responding, to incidents?
  10. Based on competitive, regulatory and technology changes, what might our risk appetite framework look like in 5 years?

Privileged Access Management solutions, like those Ironsphere is leading the market in, can be a significant part of any risk management stance, as only those who are authorized to access or change any network, system or other asset can do so. PAM solutions, like ours, must be extremely open and agile, scalable and adaptable, and easily integrated into a comprehensive IT environment. You cannot manage what you do not measure, and another tremendous benefit coming from an Ironsphere solution is real time reporting, as well as auditing functions enabling more visibility and therefore control.

Please contact us if you’d like to learn more: info@ironsphere.com.

Similar Blogs