Three simple steps to determine risk tolerance

Craig Shumard outlines the essential factors that should go into assessing your organization's risk tolerance profile

For CISOs, in addition to deciding what policies, processes, or technology an organization should have in place, an even more significant challenge is successfully negotiating disputed risk issues. But, the process for determining risk tolerance is fraught with organizational politics, and it goes without saying that each organization's circumstance needs a customized fit. When determining a process, the most important aspects to take into account include: how an organization decides on risk tolerance, security risk assumption decision-making, and who has the authority to assume security risks.

How to determine risk tolerance within your organization

Every organization has a risk tolerance model, ranging from a formal documented process to an undocumented process, or more often than not something in between. To solve the problem, first you need to determine where on this spectrum your organization lies.

Found in organizations with mature enterprise risk management (ERM) processes, a formal documented risk tolerance and assumption process clearly defines risk assumption authority level and specifies who can assume and sign-off on the risks. This process establishes a "governance procedure" and is often based on quantifying the risks and exposures. Even in these organizations, however, the ERM processes often do not adequately simplify the resolution of contested security issues.

[Craig Shumard on what a CXO needs to know about data security in the age of WikiLeaks]

On the other hand, organizations with informal risk tolerance models have little or no documented procedures regarding risk tolerance and assumption. Typically, it's based on the unspoken assumption that a senior-level manager should be informed of security issues and approve the risk being assumed. Obviously, with an informal risk tolerance model, the organizations security procedures may not be consistent, resulting in risks not being sufficiently vetted.

Determining security motivations

Even for organizations that have mature ERM processes, it is difficult to implement an effective risk assumption process. There is no generally accepted security risk assumption model template. Some organizations are predominantly driven by regulatory compliance concerns. Some are driven by the privacy and security risks associated with their information technology practices; while others are driven by industry and/or competitive pressure to determine their risk tolerance levels. Many organizations are driven by a mix of all three risk tolerance drivers.

Because the possible security motivating factors and values can differ greatly between organizations, establishing a formal risk assumption model is imperative and needs to be a truly unique and intimate process that involves the CEO -- and even the Board of Directors.

Who assumes risk -- and how?

All risk tolerance models should include three critical factors, beginning with documenting enterprise risk assumption delegation.

Delegation of who can make security risk decisions is critical and, at minimum, delegation should be at the Board of Directors or CEO level. Ideally, though, the CISO serves as the first line of defense, followed by the CEO or the Board of Directors if the risks need to be escalated. Business unit executives should only have authority to make risk decisions that are contained within the boundary of their business unit. Similar to CFOs who have delegated enterprise authority over spending matters and can overturn or challenge spending decisions by the business units, a CISO should have similar authority over security matters within the boundary of the business units.

[The great IT risk measurement debate]

Secondly, categorizing enterprise versus business unit risks determines who can assume this risk for the organization. The organization should ask if the security risks are contained within one business unit and if the risks impact the entire enterprise or multiple business units.

Finally, organizations should document how disputed issues are escalated and resolved so that every business unit knows how and who needs to be involved in resolving risks. Documentation includes procedures to categorize the risk(s) and delegated authority levels by function.


A formal security risk assumption process that is documented and approved by the CEO and/or the Board of Director is a critical first step to successfully resolving contested risk tolerance issues. And importantly, the right people need to have the right level of authority to assume enterprise security risks for the organization.

Every successful CISO must determine and navigate the risk tolerance level of their respective organization -- as political as it can be -- but with the knowledge that risk tolerance drives organization values.

Craig Shumard is Principal at Shumard and Associates, a strategic security consulting company specializing in helping decision makers improve and measure information security solutions. He also serves as an advisor to Tenable Network Security. Formerly the Chief Information Security Officer at CIGNA, Shumard has extensive experience in the areas of information security, privacy, and compliance.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementbusiness management

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Craig Shumard

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts