Many organizations are;relying on;business
problems when a threat that
can disrupt business operations emerges.
Typically, enterprises have relied on
What is Risk Appetite?
business continuity and disaster recov-
ery plans to serve the purpose of react-
ing and adapting quickly to a disruption.
While BC/DR plans no doubt hold value
in any organization, many companies
still can struggle to verify with 100 per-
cent certainty that their BC/DR plans are
fully functional and actionable, and also
integrated into the organization’s specific
This uncertainty is often the result of an
inadequate understanding of operational
risk. To improve that understanding, risk
and resilience management must be sup-
ported by a transparent examination of risk
and, more specifically, a clear understand-
ing of the organization’s risk appetite.
Risk appetite is a function of organizational culture. Risk appetite is defined as an
organization’s tolerance for accepting risk.
It’s a careful balance between the achievement of business objectives and continuous
compliance with regulatory requirements.
When an organization gains a transpar-
ent view of the risk,
it is willing to accept versus the risk
it desires to mitigate or remove; it
is positioned to move from merely
managing risk to achieving a state of
Yet many organizations forego investing in what can truly be called operational
resilience. They see risk management as a
challenge that resides solely at the enterprise level – and not one that must be
addressed at the service and functional
area level as well. While a holistic view
of risk is essential to the resilience of an
organization, increasingly complex operational environments often cause top-down
approaches to fail.
This usually results because of a combination of five factors:
Achieving operational resilience requires
a commitment across the enterprise.
Operational risk is an honest reflection
of the reality of today’s world.
It is not possible to build an impermeable operational risk infrastructure. But it
is possible to fully understand an organization’s personnel, processes, facilities,
and technology infrastructure and map
this to a specific risk appetite. This direct
mapping should be the essential outcome
from any operational risk management
program which an organization puts in
By focusing on the outcome, an organization can more easily predict the performance of business services under
uncertain conditions, manage unknown
risks, meet its mission under adverse circumstances, and return to normal after the
No matter how resilient an organization
considers itself to be, it should look to formalize its approach to managing resilience
in order to overcome traditional barriers to
implementation and control.
Making the Business Case
Positioning operational resilience to
build a stronger business is accomplished
by articulating the business need and
showing how to meet it – in a tangible and
measurable way and at an affordable cost
with a positive return.