Governance, Risk and Compliance (GRC) sounds quite a complicated subject to a number of people. I felt the same way when I started my career in this exciting field of Security & Risk. I thought it will be a good idea to write a blog post on “Integrated GRC Framework”. Considering, it’s a complicated subject; it’s quite difficult to explain this in one blog post so I am going to write a series of blog posts explaining each concept. I will bring all pieces together in the last blog post explaining how different pieces fit in together.
First concept that is really important to understand is “Risk Appetite” I heard about this popular term few years back. This term puzzled me for quite some time before I could get understand clearly what this really means in simple terms.
To understand this term, I went to our friend Google to ask him “What is Risk Appetite?” Google responded with 2.3 million results. There were so many blog posts, article and publications around this topic and I struggled to understand which one is the best answer.
I read a number of documents and posts but still, I did not feel confident enough to be able to explain this to a common person in simple terms. Then, I went to another source, Wikipedia. Wikipedia defines Risk Appetite as, “The level of risk that an organization is prepared to accept, before action is deemed necessary to reduce it. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings on”. Now that does not help either, is it?
- An instinctive desire, especially one for food or drink
- A strong wish or urge
When you apply this meaning to Risk Appetite, it translates to “An instinctive desire or A strong urge To Take On Risk”. I will try to explain this with a simple example. Every weekend when I decide to take my family out in our car, I know in my head that I am taking a risk. We can have an accident which could harm me and my family. But I decide to take that risk, why, because
- All of us will be wearing seat belts
- My car has airbags
- My car has good security features
- I am a good driver
- I have good reflexes
- I am not going to cross speed limit
- I am going to be careful
- There are laws and regulations that every other driver has to abide to
Now, what this means is that it’s within my appetite so I decide to “Take That Risk”.
Now consider an alternate scenario, my car has gone to the garage, and a friend offers to drive us to our destination. However, in this scenario, I have to take following points in to consideration:
- I know he has a history of speeding
- His car does not have good security features
- He does not maintain his car well
- He has been disqualified once and
- He appears to be under the influence of alcohol
In these circumstances, it is NOT within my appetite so I decide to “Avoid Taking That Risk”.
All of us practice risk management knowingly or unknowingly in our daily lives. We adjust our Risk Appetite based on various factors, for example, surrounding environment, place, time of the day etc. When we are walking down a known street during the day time, we might be less cautious of our surroundings. However, if we are walking on an unknown street during the night and there are not many people around, we become more attentive and aware of our surrounding and take appropriate steps to stay within our risk appetite.
Risk Appetite is “An instinctive desire or A strong urge To Take On Risk”.