The introduction of ISO 22301 (Societal security – Requirements – Business continuity management system) more closely aligns business continuity to the broader risk management discipline. A major contributor to this alignment is the standard’s requirement to understand the organization’s “risk appetite” (a term not used in BS 25999).
ISO 22301’s definition of risk appetite (Section 3.49) is the “amount and type of risk that an organization is willing to pursue or retain”. The standard makes reference to risk appetite in two sections:
In addition, the authors of the guidance document supporting ISO 22301, titled ISO DIS 22313, make one additional reference to risk appetite in the section focused on establishing the context for the business continuity management system:
For those seeking alignment with or certification to ISO 22301, business continuity professionals (or those charged with business continuity planning) must understand the concept of risk appetite and address the requirements outlined above.
Please note: the purpose of this article is not to offer a detailed, theoretical understanding of risk appetite, as other whitepapers and information sources already do this, but rather to introduce the concept to business continuity professionals and offer insight on leveraging and “implementing” this concept in our profession.
The Relationship Between Risk Appetite and Business Continuity
We believe the contributors to ISO 22301 integrated the concept of risk appetite (“amount and type of risk that an organization is willing to pursue or retain”) into a business continuity management system standard for two key reasons:
- Organizations should view risk appetite as all-encompassing, incorporating all areas of risk, including the business continuity-related risks associated with disruptive incidents; and
- Utilizing risk appetite to adequately scope and support a business continuity management system helps align business continuity to organizational strategy and other risk management efforts, enabling business continuity to better integrate into broader risk management.
Further, when done correctly, risk appetite becomes a major input to (and it may overlap significantly with) a business continuity management system’s scope and objectives.
Keys to Determining Risk Appetite
As noted above, many sources of information are available that describe the concept of risk appetite and the best approach for determining an organization’s risk appetite. Avalution analyzed these sources to help further understand how to most effectively assist our clients in determining and documenting their risk appetites as it pertains to business continuity planning, as well as integrate the concept into our own business continuity program (since we are actively transitioning from BS 25999-2 to ISO 22301 within our organization). One of the most valuable sources we identified is a white paper published by the Institute for Risk Management (IRM), which introduced a number of “design” factors the authors deemed as key to determining risk appetite. Three of these design factors, or considerations, are paraphrased below, which we found helps to better understand and determine risk appetite:
- An organization’s risk appetite is – or should be – measurable
- The acceptability of risk should have a time (temporal) consideration, to ensure periodic review (given organizational and environmental change)
- Risk acceptance should not have anything to do with relaxing controls (risk treatments)
With this said, and in our opinion, some of the sources of information – other than executive management – that organizations should evaluate when determining risk appetite include:
- Annual reports and financial statements
- Customer contracts
- Regulatory requirements
- Business strategic plans
- Marketing materials
- Board meeting minutes
While we will not go into further detail on determining risk appetite, those seeking additional information should consider reviewing the following:
- COSO – Understanding and Communicating Risk Appetite
- ERM Symposium – Cremonino
- Towers Perrin – ERM Risk Appetite
- COSO – ERM Executive Summary
Example – Risk Appetite at Avalution
In transitioning from BS 25999-2 to ISO 22301, we had to understand how risk appetite pertains to our business continuity management system, given that this is a new formalized requirement necessary for certification. Using the guidance and approach described in the previous section of this article, we documented our risk appetite summary as follows:
In 2012, we are willing to tolerate a finite amount of downtime as long as it does not result in the following:
- Damaged reputation among our clients that leads to broader, negative market perception
- Missed service level agreements specific to The Planning Portal and BC Catalyst
- Financial loss in excess of $50,000
- Project delays of more than three days due to resource disruption and lost data
In order to align our existing business continuity program with this statement regarding risk appetite, Avalution management intends to staff and appropriately resource our business continuity management system to minimize downtime in the most efficient, pragmatic manner possible.
As noted earlier in this article, this statement aligns with the IRM design considerations, specifically:
- It aligns to our products and services, as well as our organization’s strategic priorities, and hence the scope of our business continuity management system
- It offers quantifiable methods to measure risk
- It notes a time element (2012)
- It notes where our management team accepts a level of risk, which frees resources to improve our business, services and technology, as well as invest in our people
Risk appetite is an important concept that includes strategic, operational and tactical elements – all of which impact the successful implementation and continual improvement of a business continuity management system. Considering risk appetite as part of business continuity planning enables business continuity to more closely align with risk management efforts, enabling business continuity efforts to focus primarily on the risks management is unwilling to accept regarding important products, services, business processes and resources (all of which an organization should clearly document within its risk appetite). Understanding the boundaries – based on an acceptable level of risk – introduces focus and clarity in planning, which results in higher levels of effectiveness and efficiency in protecting an organization’s most time-sensitive or critical activities.
Further, considering risk appetite in the context of business continuity planning should help management frame business continuity in relation to how they already think about the broader topic of risks to the organization, with the risk of disruptive incidents being only one factor to consider. Aligning the business continuity effort to how management already thinks (on a strategic level) should contribute to a stronger, clearer value proposition for the preparedness effort, which should enable long-term support and management involvement.
Due to the benefits outlined throughout this article, Avalution believes that the concept of risk appetite is a welcome addition to ISO 22301, and one that business continuity professionals must learn more about in order to be an active participant in a broader risk management effort.
Brian Zawada & Jacque Rupert
Avalution Consulting: Business Continuity Consulting