What Is Risk Tolerance?

Today’s enterprises view risks differently. Instead of reacting to adverse events after the fact, many organizations develop proactive risk management strategies that anticipate threats and avoid or mitigate them quickly. The key to this agile approach? Defining your company’s risk tolerance levels and developing a detailed cybersecurity action plan. 

Understanding Risk Tolerance in Cybersecurity

Risk tolerance describes how your organization reacts when threats, vulnerabilities, or failures appear. More specifically, risk tolerance is your threshold for variation in target risk percentages.

As long as risks remain below that agreed-upon threshold, no mitigation is necessary. Excess risk triggers a cascade to correct problems, implement solutions, or reduce impacts ASAP.

Every organization approaches risk tolerance differently:

• High risk tolerance means your company can accommodate a lot of variation in products, operations, equipment performance, or network systems as long as the payoff is worth it. Tech companies that “move fast and break things” often take this approach.
• Medium risk tolerance means you accept some variations from company polices, processes, or standards, but not too much. This strategy often works for retailers, hotel brands, restaurant chains, construction companies, and other consumer-facing businesses.
• Low risk tolerance means your operations have a very tight threshold for success and failure, requiring immediate action for moderate or serious risks. Banks, insurance companies, defense contractors, healthcare organizations, and other regulated businesses must usually take this approach.

You can assign different risk tolerance levels depending on the nature of the data and the threat. It’s one thing when a junior employee with minimal permissions loses their credentials. The danger is vastly higher if the situation involves a high-level manager with access to financial data or admin settings.

An Example of Risk Tolerance in Cybersecurity

Understanding what risk tolerance is and what it looks like is easier with an example:

• Stated company policy: Software vulnerabilities with low exploitability must be patched within seven days for critical systems, or 30 days for non-sensitive systems.
• Event: Your IT team identifies a potential zero-day exploit, but the threat level is unknown.
• Risk tolerance option A: Track the bug and create alerts for suspicious activity, but don’t take any corrective actions.
• Risk tolerance option B: Assign team members to develop a security patch for the vulnerability, but wait until the next major system update to apply it.
• Risk tolerance option C: Immediately lock down any modules affected by the bug until a security patch can be applied.

Some organizations take the first approach, especially when bugs aren’t realistically exploitable or don’t affect any sensitive data. On the other hand, if there are credible threats to your operations, reputation, or data security, it’s better to err on the side of caution.

Risk Tolerance Vs. Risk Appetite

You may have heard the terms risk appetite and risk tolerance used interchangeably, but they refer to two different things. Risk appetite deals with your organization’s overall posture toward risks. Risk tolerance describes your response on a per-event basis.

Here are a few times when risk tolerance decisions are necessary:

• Products exceed contract specification
• Employees don’t adhere to cybersecurity guidelines
• Projects or upgrades go over budget
• You detect suspicious network traffic
• Part of your system has been breached
• Internal audits reveal compliance failures

Risk appetite and risk tolerance are both part of a successful risk management framework. They work together to help you cover a wide variety of organizational risks.

How Do You Calculate Risk Tolerance for Your Organization?

Creating effective risk tolerance policies requires a customized approach. Your framework has to take into account many organization-specific factors: 

• Regulatory compliance: HIPAA, PCI DSS, NIST SP 800-171, and GDPR frameworks have little room for error and large penalties for violations.
• Industry: Industries that process high volumes of data need to take a more conservative approach to risk tolerance and cyber threats.
• Customer expectations: Many clients have high infosec requirements for supply-chain vendors and zero tolerance for data breaches.
• Organizational goals: Making upgrades to outdated systems or implementing updated policies can temporarily increase operational risks, but the end results are better.

Risk calculations should be based on quantifiable data, concrete costs for both risks and solutions. This allows you to set percentage-based risk tolerance rules. It’s easier for employees to interpret a 10% cutoff than vague guidelines like “reasonable precautions” or a “moderate impact.”

Why Is Risk Tolerance Important for Enterprise Decisions?

Risk tolerance is a key part of enterprise risk management frameworks as well as governance, risk, and compliance programs. Comprehensive risk assessments take time, but the benefits always outweigh the costs.

Stronger Cybersecurity

Cyberthreats are evolving constantly, and your organization needs eyes on the situation. A massive two-thirds of enterprises faced ransomware attacks in 2023. Ignoring the problem isn’t an option. Risk management is essential to locate and protect your organization’s most critical areas.

Cohesive Risk Mitigation

Enterprises need a risk management approach that avoids data silos. By making risk tolerance decisions at the organizational level, every department and business location stays on the same page. Risk assessments need accurate data from CISOs, compliance officers, department heads, and other stakeholders, not just one individual’s gut feeling.

Rapid Deployment

Airline pilots have to train for upwards of 1,500 hours before they can fly commercial aircraft. Why? In a real emergency, there’s no time to compare options, only to act.

Similarly, making risk tolerance decisions in advance helps your team react more quickly. According to the IBM Cost of a Data Breach Report, it takes more than two months for most companies to contain a data breach, but organizations with incident response plans in place react 28 days faster and save $1.5 million on average. With automated workflows, that number jumps to $2.2 million.

Cost-Effective Solutions

On paper, it’s easy to say that every potential cybersecurity risk requires a minimum-tolerance approach. In reality, few enterprises can afford to be so heavy-handed. Performing a detailed risk assessment and assigning appropriate risk tolerance levels puts your resources where they maximize data protection.

Redefine Risk Tolerance for Your Organization

Risk tolerance solutions aren’t only for companies without a risk management program. Modern tools can improve existing GRC and ERM frameworks, too. Compyl’s compliance automation can make risk management simpler and more powerful simultaneously. Contact us to see what modern risk tolerance in cybersecurity means for your business.