![]() Executive management will communicate the above to decision makers throughout the company.Executive management, in consultation with the Board of Directors, is responsible for determining the organizational risk appetite and risk tolerance levels. ![]() Synopsis: To assign organizational roles and responsibilities with respect to risk management activities. In Practice: Information Security Risk Management Oversight Policy It is the responsibility of the Board of Directors and executive management to establish risk tolerance criteria, set standards for acceptable levels of risk, and disseminate this information to decision makers throughout the organization. Risk tolerance levels can be qualitative (for example, low, elevated, severe) or quantitative (for example, dollar loss, number of customers impacted, hours of downtime). Risk tolerance is tactical and specific to the target being evaluated. Risk appetite is a strategic construct and broadly defined as the amount of risk an entity is willing to accept in pursuit of its mission. The process of managing risk requires organizations to assign risk-management responsibilities, establish the organizational risk appetite and tolerance, adopt a standard methodology for assessing risk, respond to risk levels, and monitor risk on an ongoing basis. The key is to balance risk against rewards by making informed decisions and then managing the risk commensurate with organizational objectives. Risk taking can, however, be detrimental when ill considered or motivated by ignorance, ideology, dysfunction, greed, or revenge. Ceasing to take risks would quickly wipe out experimentation, innovation, challenge, excitement, and motivation. For example, entrepreneurial risk taking can pay off in innovation and progress. Risk taking can be beneficial and is often necessary for advancement. ![]() Your risk tolerance is that the reward for reaching your destination outweighs the potential harm. You manage the risk by keeping your car in good working order, wearing a seat beat, obeying the rules of the road, not texting, not being impaired, and paying attention. Consider this: Every time you get in a car you are risking injury or even death. All human activity carries some risk, although the amount varies greatly. Inherently, risk is neither good nor bad. Conversely, if the VC determined that the likelihood of a three-million-dollar return on investment was high, she may be willing to accept the tradeoff of a potential $200,000 loss. Certainly, if the VC believed that the company was destined for failure, the investment would not be made. Risk tolerance is how much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit-in this case, how much money the VC is willing to lose. Doing these things, however, does not guarantee success. To influence the outcome, the VC may require a seat on the Board of Directors, demand frequent financial reports, and mentor the leadership team. The motivation for taking this risk is that the company becomes wildly successful and the initial backers make a great deal of money. The risk (undesirable outcome) in this case is that the company will fail and the VC will lose part or all of her investment. “Managing risk” implies that other actions are being taken to either mitigate the impact of the undesirable or unfavorable outcome and/or enhance the likelihood of a positive outcome.įor example, a venture capitalist (VC) decides to invest a million dollars in a startup company. The motivation for “taking a risk” is a favorable outcome. Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction.
0 Comments
Leave a Reply. |