Readings
- What is the difference between risk appetite and tolerance?
- What three types of IT risk are there? Can you give an example of each?
- In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
- How can an organization respond to any IT risk?
The All World Airlines Case
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
Anthony Clayton Fecondo says
What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk that an entity is prepared to accept in pursuit of its objectives. Risk tolerance is the acceptable deviation from a company’s risk appetite for any given individual risk. According to these definitions, I think the main difference is scope. Appetite is about total risk and tolerance manages individual risks. Risk appetite defines what level of total risk an organization is comfortable with. While there’s a maximum total risk, the acceptable risk level of each individual activity is defined by the risk tolerance. For example, an organization might have a relatively low risk appetite, but they might still take on a very risky activity despite the inherent risk of that one activity, because the total risk of the organization is still within their comfort zone.
Anthony Clayton Fecondo says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
ISACA’s IT Risk Framework has three processes; IT governance, Risk Evaluation, and Risk Response. Risk governance is the process of creating policies, standards, and the culture regarding risk management within the organization. This step in the process establishes a singular, consistent view of risk for the organization and influences the degree of risk awareness that the company and its employees is in. This step is about understanding the organization’s stance on risk.
Risk evaluation is the process of collecting, inventorying, and analyzing any data about relevant risks and exposures. These step also includes the process of establishing and maintaining the organization’s risk profile. This step is about understanding the risk environment that the organization operates in.
Finally, risk response is the process of determining how to deal with risks. This step starts with determining if a risk will be accepted, avoided, mitigated, or transferred, the means by which the risk will be mitigated or transferred, and the action plan for responding to the occurrence of risk events. This step is about understanding how the organization is going manage risks and how it will react to a given event.
Sean Patrick Walsh says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk a business is willing to accept to achieve its business objectives. Risk tolerance is the amount of deviation beyond the limits set by risk acceptance that a business finds tolerable when conducting business to reach its objectives. To visualize it, I would imagine a printed piece of paper with an essay, or some type of writing, printed on it where the piece of paper itself is the risk. The writing is formatted to fit inside an imaginary rectangle on the sheet of paper and that would encompass the risk appetite. The risk tolerance would be the margins on the paper which allows the writing’s imaginary box to be formatted larger to a point if necessary. Of course, the writing can only be formatted so large until it no longer fits on the piece of paper, much like risk tolerance only absorbs so much deviation from risk acceptance.
Richard Flanagan says
Sean,
You’ve got me on this one. I really didn’t follow your analogy. I think of appetite as the organization’s willingness to take on risk overall. Risk tolerance as the amount of risk they are willing to take with any specific initiative. Thus you could have two companies with the same risk appetite; one that is willing to take a lot of small risks in everything they do and one that is only willing to take a risk in one area, but they are willing to take almost any risk there.
Sean Patrick Walsh says
I think while I was responding I was trying to visualize the concept and it came out poorly in writing.
Andres Galarza says
The martini example from the video made sense to me.
Sachin Shah says
I agree the video made clear about how risk tolerance is more granular or for a specific initiative. Where as appetitie is more reflective in how a company is willing to take risks in general. I also see risk tolerance and appetitive reflective to when watching people play poker, people play more aggresively if they have a large stack of chips. Yet if one has a small chip stack they may be aggressive or conservative and that is refective of their tolerance due to their chips available.
Sean Patrick Walsh says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk are IT Benefit/Value Enablement Risk, IT Program and Project Delivery Risk, and IT Operations and Service Delivery Risk.
An Example of IT Benefit/Value Enablement Risk is Blockbuster Video not leveraging streaming services for their products and losing market share and eventually filing bankruptcy due to Netflix.
An example of IT Program and Project Delivery Risk is Apple’s Copland operating system it designed in response to Windows 95 in the 1990’s. The project failed to deliver what it was intended to do and cost the company millions.
An example of IT Operations and Service Delivery Risk is when the ACA healthcare website rolled out initially and people could not utilize the website to purchase healthcare.
Richard Flanagan says
Sean,
Like your examples but the ACA might also be an example of a project delivery risk. Hard to differentiate on rollouts. Its similar to the medical saying “the operation was a success but the patient died.” I think a more recent example of an delivery risk was the DDOS attack on the internet that brought so many sites down.
Sean Patrick Walsh says
I understand now. The rollout in that scenario was a significant part of the project delivery, whereas DDoS denied the address resolution protocol services for many different sites. That makes much more sense since that is an actual service being provided.
Sachin Shah says
very good point about the DDOS attack on the internet. We have issues like that at my job where we know there are bugs in a program but they are bypassed due to SLA agreements that financially require when a project or upgrade HAS to occur.
Xiaodi Ji says
Sean,
I real like the example for the IT Program and Project Delivery Risk. Until now, I think this risk is hard to control. First of all, it is very hard to catch people’s idea about the world. Before the company create a program, they do a lot of research what people what and like. However, a program need many time to create. During this time, people’s preference will change. If our program cannot catch their opinion or feeling, it is hard for people to choose our company or program.
Then, users always follow big company. A lot of people choose program because this program create by a big company which may can give more good server. For example, now, many people choose Windows as their operating system because Windows is big company. Users think they can provide good server and good program. It is hard for other small operating systems companies to gain marker share.
Therefore, I think this is a very hard risk to handle it.
Joseph Henofer says
1. What is the difference between risk appetite and tolerance?
As per the COSO ERM Framework,
Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of stakeholder value.
Risk Tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.
Some people make the mistake of using these terms interchangeably when in reality they are different. A key difference between the two is that risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives. For example, a customer service desk may not accept risks of dropped calls which is expressing appetite. Now that same customer service desk may also say it will not accept risks of dropped calls from the top 10% of clients in a span of 1 month.
http://www.coso.org/erm-faqs.htm
Brou Marie Joelle Alexandra Adje says
Jan’s section:
1. What is the difference between risk appetite and tolerance?
The way I see this is that risk appetite refers to the amount and type of risk an organization is willing to accept in pursuit of its business objectives, whereas risk tolerance is more like the maximum risk that an organization is willing to take regarding each relevant risk.
Mengxue Ni says
Nice and straight, Alexandra!
I totally agree with you about the differences between risk appetite and tolerance. In other words, risk appetite is the level of risks that an organization is willing to accept. Risk tolerance is more granular and affects individual risks.
Nathan A. Van Cleave says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the total amount of risk that an organization will accept when considering its objectives. ISACA IT Risk Framework points to two primary organizational considerations in determining risk appetite:
– An organization’s objective capacity to absorb loss
– The management’s biases toward risk taking (Risk vs Return)
Risk tolerance is the bearable range of deviation from the identified risk appetite. In the ISACA example: standards require projects to be completed within the estimated budgets and time (risk appetite), but overruns of 10% of budget or 20% of time are tolerated.
Risk appetite and tolerance are generally set by the board and/or executive management and are linked with the company’s strategy. They capture the organizational philosophy for managing and taking risks, help frame and define the organization’s expected risk culture and guide overall resource allocation.
Xiaodi Ji says
Nathan,
Your examples are helpful for me to get the point of them. Just like the example which we watch in the video. Risk likes wine. We like the wine because it is taste good, and it also a good tools for communicate. For this reason, we want to drink wine. For the IT, we want to risk because it can help us find problem. When we write a program and see the error, we may feel nervous but it is a good change for us to solve the error or create some function to catch these error to avoid more terrible error.
Everything should have a degree. When we drink too much, we cannot control ourselves. Therefore, each company have a degree for the risk. Once the risk over this degree, this risk can cause more serious problem. For example, when we write a endless loop in the program. We have to pay more attention about this. If this endless loop over computer’s abilities, computer have to shut down.
Therefore, everything has double effects. If we find out good method to use risk, it can help us. However, if we deal with it with wrong methods, it can destroy us.
Nathan A. Van Cleave says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk and examples of each are:
IT Benefit/Value Enablement Risk
– An organization realizing that an e-commerce platform can boost sales by extending a global reach to consumers.
IT Programme and Project Delivery Risk
– An organization conducting due diligence on an outsourced development vendor to ensure they have the capabilities, expertise, and resources to sufficiently deliver on the required programme objectives and scope.
IT Operations and Service Delivery Risk
– An organization conducting voice of customer (VoC) feedback on incident management processes to ensure the organization is achieving desired results and appropriate value is being attained.
Richard Flanagan says
Nathan,
Can you relate this to “Right things, done right?”
Nathan A. Van Cleave says
Rich,
If I understand your question correctly, I think for the examples for each risk type, those could be the “Right Things” part of that as they are all addressing a step that an organization could make to mitigate a risk.
For the example of IT Benefit/Value Enablement Risk:
Right Things: An organization realizing that an e-commerce platform can boost sales by extending a global reach to consumers and reducing the risk of falling behind the industry and creating more value through differentiation.
Done Right: Implementing the e-commerce platform carefully understanding that other areas of the business will need consideration to appropriately manage the overall risk (i.e. logistics, customer service, sourcing, etc.)
Vaibhav Shukla says
Professor Jan Section
How can organization respond to IT Risk?
During Risk analysis process the risk to an organization are analyzed and all the risk which exceeds the risk tolerance level are responded.Organization has 4 options as a response to the IT risks
1)Avoid
2)Reduce/Mitigate
3)Share/Transfer
4)Accept
Organization then selects an appropriate response,i.e., given the risk at hand, how to respond, and how to choose between the available response options.Following parameters are taken into consideration
->Cost of response-Cost of implementing controls or mitigating it
->Importance of risk addressed by response
->Effectiveness of Response and quality of response
->Organization ability implement response
The available resources whether IT infrastructure or human will always be limited so organization has to then prioritize the risk to be responded in first phase.The high level risk which has very effective and efficient response should be addressed as a priority.
Mengxue Ni says
Nice post, Vaibhav!
We used to talk about the four ways to respond risks in classes a lot. I think it can be applied to IT risks as well. I think identify risks is very important. Understanding your risks is a critical step in understanding how you want to deal with them.
Andres Galarza says
I want to say that I saw in a previous lecture, or maybe another class, that another (unacceptable) risk response is to simply ignore it.
I point this out because we’re talking about what organizations SHOULD do when looking at how they respond to risks. There are plenty examples of organizations that act negligently. Apologies for a political example, but you could make the argument that Secretary Clinton’s use of a private server was a decision to neglect completely any of the SHOULD risk responses.
When confronted by a FBI report that cited her/her staff as “completely careless” (1) in handling classified information, Secretary Clinton cannot then claim to have adequately responded to the risks inherent in her position.
(1) https://goo.gl/UKLcT8
Wenlin Zhou says
Jan’s section:
What is the difference between risk appetite and tolerance?
Risk appetite can be defined as ‘the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives. Organisations will have different risk appetites depending on their sector, culture and objectives. A range of appetites exist for different risks and these may change over time. Risk Tolerance defines it as ”The degree, amount, or volume of risk that an organization or individual will withstand.”
Risk appetite and tolerance need to be high on any board’s agenda and is a core consideration of an enterprise risk management approach. IRM’s guidance provides practical direction, advice and information to support boardroom debate. While risk appetite will always mean different things to different people, a properly communicated, appropriate risk appetite statement can actively help organisations achieve goals and support sustainability.
The risk appetite statement is generally considered the hardest part of any enterprise risk management implementation. However, without clearly defined, measurable tolerances the whole risk cycle and any risk framework is arguably at a halt
https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance/
Mansi Paun says
Q 1. What is the difference between risk appetite and tolerance?
A 1. Both risk appetite and risk tolerance set boundaries of how much and what kind of risk an organization is prepared to accept. Risk appetite broadly defines the level of risks that management deems acceptable and is willing to invest for, while risk tolerances are narrower and set the acceptable level of deviation from risk appetite. Risk tolerance is the limit of risk the organization can take beyond it’s desired risk objective.
For instance, consider that you want to shop for a scarf and have $20 to spend. Out of this, you set expect to buy a scarf for less than $15 and set it as your budget for the scarf. However, you are still prepared to pay up to $20 if you cannot find a scarf that you like for less that $15. The ideal desired budget of $15 that you set, is analogous to the Risk appetite whereas the extra $5 deviation from your budget that you are okay to spend, is analogous to the risk tolerance.
http://www.coso.org/erm-faqs.htm
Andres Galarza says
Mansi,
I like your scarf example, and it helped me to better understand the differences between the two concepts.
Folake Stella Alabede says
1. What is the difference between risk appetite and tolerance?
Risk Appetite
ISO Guide 73:2009 Risk Management – Vocabulary defines risk appetite as the “amount and type of risk that an organization is willing to pursue or retain.”
Risk appetite is the level of risk that an organization is willing to accept (including financial and operational impacts) while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.
Risk appetite can also change over time. It’s always a good idea to assess risks against risk criteria periodically or continuously (e.g. once or twice annually, or daily in specific risk scenarios), depending on the circumstances, available resources, skills, technologies or systems.
Risk Tolerance
ISO Guide 73:2009 Risk Management – Vocabulary defines risk tolerance as “an organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.”
Difference between Risk Appetite and Risk Tolerance
According to COSO’s “Strengthening Enterprise Risk Management for Strategic Advantage”, risk tolerance “reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve”, while risk appetite is defined as “a broad-based description of the desired level of risk that an entity will take in pursuit of its mission”.
COSO also explains the difference between risk appetite and risk tolerance:
Both risk appetite and risk tolerance set boundaries of how much risk an entity is prepared to accept. Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are narrower and set the acceptable level of variation around objectives.
For instance, a company that says that it is does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from its top-10 customers to decline by more than 10% it is expressing tolerance.
Operating within risk tolerances provides management greater assurance that the company remains within its risk appetite, which, in turn, provides a higher degree of comfort that the company will achieve its objectives.
Magaly Perez says
What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk that an organization is equipped to accept in order to achieve its business objectives. Risk tolerance is an accepted deviation from a company’s risk appetite that a business finds tolerable in order to achieve its business objective.
For example, an organization may have a very low risk appetite, yet want pursue a certain activity in order to achieve their end goal business objective. Therefore, the business decides to take a risk in an area even though, that risk might be exceptionally high for the company, it is still within the business’s overall comfort.
Ming Hu says
What three types of IT risk are there? Can you give an example of each?
IT Benefit/Value Enablement Risks – revolve around using technology to enhance efficiency or effectiveness in current processes or strengthen IT security. E.g. a power outage at Delta Air Lines Inc. cost Delta millions of dollars and damaged its hard-won reputation results from its outdated IT systems that data from the 1990s.
IT Program/Project Delivery Risks — these risks are associated with completion of projects, programs and other aspects of portfolio management. E.g. Numerous project design problems and project inconsistence happened in Airbus arose from poor communication and coordination led to billions over budget.
IT Operation/Service Delivery Risks – these risks are about IT’s ability to provide IT services (hardware, software, etc.) to the its customer (end-users, the lines of business, the corporation). E.g. Lenovo Solution Center (LSC) hardware scan detects failure for Intel HD Graphics 520 on ThinkPad E460 & E560.
Mengxue Ni says
Good explanations and examples, Ming!
This three types IT risks stand for each steps of operating a project. First, before you start a project, you need to resolve technology that you want to use and can help you spend least money to get best result. Second, when you are processing the technology, you need to make sure everything goes right. Lastly, after finishing the project, you need to follow up and evaluate “is the project successful?”
Kevin Blankenship says
Great examples!
It’s clear that there are risk associated with each step of a project, as well as the ongoing operation of the technology.
Joseph Henofer says
3. How can an organization respond to any IT risk?
An organization can respond to IT risk in many ways, but the four main ways are by risk avoidance, risk mitigation, risk transfer and risk acceptance. By defining a risk response plan your bringing risk in line with the defined risk appetite for your organization.
-Risk Avoidance is when you do nothing with the identified risk. This is different from risk acceptance because in risk acceptance your choosing to accept the risk and the impact of your choice. Now there are a few factors that go into risk avoidance like the risk cannot be shared or transferred and the risk is unacceptable by management.
-Risk acceptance is the willingness of an organization to assume the risk. In this case the organization knows the risk and is determining the course of action. Risk acceptance should be a conscious decision that some companies incur but due diligence should always happen ensuring that the decision is not based on a lack of information or execution.
-Risk Mitigation is when you are reducing risks by implementing controls, fixes or other countermeasures that have a direct effect on the risks that your company identified.
-Risk Transferred is when a risk is reduced by transferring or sharing a portion of the risk with a willing third party. Some examples of risk transfer are purchasing insurance and outsourcing.
Richard Flanagan says
Joe,
I’m not sure if you have risk avoidance right or not. Risk avoidance is when a company choses not to pursue a business strategy or activity because of the risk. My old company knew more about paint than any of the paint companies you know (SW, Asian Paint, Behr etc.) because we sold them the technologies they used to make their paint. We never actually went into the paint business because we were scared of the risks associated with selling to consumers. We were an industrial company and really didn’t understand consumer sales, hence we viewed such a move as very risky and avoided it by never going into the business.
Joseph Henofer says
Prof,
I would agree your definition is better put and easier to understand. I would say using the word “nothing” makes my definition a little confusing. Your example has provided with a better insight of how to look and work risk avoidance.
Ahmed A. Alkaysi says
1. What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk that the company is willing to accept to achieve its business objective. Risk tolerance is the maximum threshold the company is willing to accept for that specific risk. Risk appetite is like making a general statement: “I want to take a high amount of risk for this business objective” Risk tolerance would further define what the “high amount of risk” is: “I am willing to risk up to $200k for this…”
Ahmed A. Alkaysi says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk are: IT benefit/value enablement risk, IT program and project delivery risk, and IT operations and service delivery risk
IT benefit/value enablement risk – is defined as “missed opportunities to use technology to improve efficiency/effectiveness of business processes..” (IT Risk Framework)
An example of this would be developing a new IT function when an existing one can be leveraged. At work, we create “packets” which are used to send information from our systems to different parts of the organization. Lets say we get a new requirement that needs to send some information to a specific team. Instead of leveraging the existing “packet” that is already being used and adding additional fields to it, we instead create a brand new “packet.” This could be a less cost-effective way of satisfying the requirement.
IT program and project delivery risk – an example would be having the right technical resources in order to accomplish project objectives.
IT Operation/Service Delivery Risks – an example would be something going wrong promoting code during a production release. This could cause longer system downtime and the loss of resources.
Ahmed A. Alkaysi says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The three process are: Risk Governance, Risk Evaluation, and Risk Response.
Risk Governance: This process is the framework in place for Risk mitigation in the company. Concepts such as Risk appetite, risk tolerance, and risk thresholds are defined in this area. This process covers the expectations by management in regards to risk taking, the policies in place to mitigate risk, and the communication of risk throughout the company. An example of communication is the use of training provided to employees to discuss risk. Risk Governance creates the culture that defines what risk means in the company.
Risk Evaluation: This section specifies what risk is. Here, analysis is conducted to define risk. There are two methodologies that can be used to evaluate risk, top-down approach and bottom-up approach. The top-down approach defines risk by looking specifically at the business objectives. Generally, this method is use by management. The bottom-up approach determines risk by the specific system/function. This method is usually done by the employees working in their specific areas.
Risk Response: This process make sure that residual risk is within company risk tolerance. The use of risk metrics called Key Risk Indicators (KRI) are essential in this process. KRIs help provide an early warning of high risk, show previous risk events that occurred that can be use for evaluations, and provide an indication of the company’s risk appetite and tolerance. This area also defines how to manage risk, either by using Risk Avoidance, Risk Mitigation , Risk Sharing, or accepting risk.
Ahmed A. Alkaysi says
4. How can an organization respond to any IT risk?
The organization can respond to any IT risk by using either Risk Avoidance, Risk Mitigation, Risk Sharing, or Risk Acceptance.
Risk Avoidance is finding a way to remove risk altogether. For example, removing a data center to a location that has a rare occurrence of earthquakes will basically remove the risk of the data center being destroyed by an earthquake.
Risk mitigation is the action taken place to reduce a risk event from occurring. Generally, having controls in place around the process that requires risk mitigation will help reduce the chances of that risk from occurring.
Risk Sharing is the concept of sharing some of the risk with another entity. For example, buying insurance or outsourcing IT activities. If a company is afraid of its data center being hacked, they can outsource their data needs to a company with stronger risk response and strategies. In essence, they are now sharing the risk of their data center being hacked.
Risk Acceptance is accepting loss due to the risk event occurring. This doesn’t mean that the risk is unknown. In this case, the risk is known and it is acceptable for the company to take no action in avoiding, mitigating, or sharing it. This is a plausible strategy in cases where risks are very small and to non-priority systems and it is cost-effective to just accept the risk itself.
Richard Flanagan says
Ahmed,
See my earlier post about Risk Avoidance. Your example is really risk mitigation. And remember, mitigation can do two things:
1. Reducing the likelihood of a risk occurring
2. Reducing the impact of the risk when it does occur.
Ahmed A. Alkaysi says
Hi Professor,
You are correct, my example wouldn’t really eliminate the risk of the earthquake, there would still be a chance of the earthquake, however small.
I understand now that risk avoidance is about changing the business strategy in order to eliminate the risk, instead of managing the risk itself.
Paul Linkchorst says
Professor Yeoman’s Section
What is the difference between risk appetite and tolerance?
According to an article found on the Risk Management Society’s website, the difference between risk appetite and risk tolerance is the difference between wants and needs. In order for a business to have success and receive the “rewards”, then companies must take on some form of risk. Risk appetite is the total exposed amount that a company wishes to have in order to have a good risk-reward balance. Risk tolerance is the limit of how much risk they accept by identifying what is acceptable and what is unacceptable. The latter is more critical, since failure to identify risk tolerances can lead to the discontinuation of a business if the organization cannot meet the financial requirements from the risks. Therefore, it is important for an organization to develop a clear set of risk tolerances which are communicated throughout an organization, especially since each individuals own interpretation of risk is different.
Source: https://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf
Mengxue Ni says
Nice post, Paul!
According to your post, risk appetite is what an organization wants. Risk tolerance is what an organization needs. This is very interesting! To add more to it, from what I found the differences between this two terms are risk tolerance is the level of risk that an organization can accept per individual risk, whereas risk appetite is the total risk that the organization can bear in a given risk profile.
Joseph Henofer says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk are
IT benefit/value enablement risk – An example of this would be Blackberry, in the mid to late 2000’s they had more than half of the market share of phones in the U.S. Blackberry ignored the touch screen based technology believe that their phones would remain the standard for enterprises going forward.
IT program and project delivery risk – An example of this was when Michael Robertson the CEO of MP3.com in 2001 decided to launch the operating system Linspire (LindowsOS). This project was supposed to take advantage of execution of Windows programs and the stability of the Linux platform. The OS was being sold on cheap PC systems by Walmart which gave them a strong sales partner. But after Microsoft took legal action because the name was similar to Windows the OS faded and renamed itself to Linspire.
IT operations and service delivery risk – In 1993 Fox Meyer Drugs decide to increase efficiency by integrating SAP and warehouse automation system. This was supposed to be a $35 million project but ended up causing the company to go bankrupt.
Folake Stella Alabede says
Thanks Joseph for this great example breakdown.
i’ve been surfing the net trying to get a grasp of how examples could be, but examples i see and can think of would fall withing either of the 3 risks and is not specific to either IT benefit/value enablement risk or IT program and project delivery risk or IT operations and service delivery risk
spot on for IT benefit/value enablement risks (which are associated with opportunities to use technology to improve efficiency or effectiveness of business processes) is the Blackberry. Like years ago, having a blackberry was the in thing, i personally used the blackberry for many years, but like you said, “Blackberry ignored the touch screen based technology “, and they ignored a lot of other things too, so i had no choice but to switch to the iphone. Blackberry had a revenue decline of $19,907 billion in the year 2000 to $2,160 billion in 2016.
i also like your example of the IT Operations and Service Delivery Risk (which are IT operations and service delivery risks associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the company.) this risk caused the reduction/destruction of Fox Meyer Drugs.
Priya Prasad Pataskar says
Q] In your own words explain what occurs in each of the three processes included in the IT Risk Framework
Organization faces various risks like strategic, risk, environmental risk, market risk, credit risk, operational risk and compliance risk
The Risk IT framework explains how to deal with risks and enables organization to manage risks to help reduce risk negative impact and to make risk-return-aware decisions. This framework will help organization to respond to the risk.
The three domains of the Risk IT framework are —Risk Governance, Risk Evaluation and Risk Response—each contain three processes.
A. Risk Governance – Ensuring alignment of risk management practices in the enterprise level objective
1. Integrate with ERM 2. Make risk aware business decisions 3. Establish and maintain a common risk view
The essentials of good risk governance are
Define risk apatite- The enterprise’s objective capacity to absorb loss
Define risk tolerance level – The tolerable deviation from the level set by the risk appetite definition
It is important for the IT team and governing bodies to establish a risk management environment. All stakeholders must be aware of the the risk . acknowledging that risk is an integral part of the business. Organization must never be under a false sense of confidence of risk handling. Top management must be aware of the actual exposure related to IT. Lack of communication can lead to improper handling of risk which can cause greater risk loss impact.
Risk Culture – It is necessary for organization top leaders to import risk culture. Everyone in the organization must be aware of behavior towards taking risk, following policies and what to do in case of negative impact of risk hits the organization. All levels within an enterprise must be aware of how and why to respond to adverse IT events.
B. Risk Evaluation – It is important to measure the risk. Risks must be analysed, defined, their impact and occurrence must be measured.
1. Analyse risk 2. Maintain risk profile 3. Collect data
This process is used used to compare the estimated risk against the given risk criteria so as to determine the significance of the risk.Evaluation of risk is useful in the decisions for risk treatment.
Impact – Calculation of how risks adverse events may affect business objectives. There are several techniques and options to calculate impact. Organization needs to identify the important and relevant risks. Top- down or bottom up approach can be used to identify risks. Risks must be categorized as internal or external. Risk Factors, risk scenario and asset categorization is important to identity risk.Defining Key Risk indicators helps analyze the risks and root causes of risks that will impact business.
A current risk profile will help determine the current risk management process while the target profile will the risk management plan that organization is willing to reach to and sets the target as its objective.
C. Risk Response – Organization must define the process to deal with risks.
1. Manage Risk 2. Articulate Risk 3. React to events
Risks must be treated after defining in a cost effective way to mitigate the results of risk occurrence. Risk response process helps bring risk in line with the defined risk appetite for the enterprise after risk analysis. Risk Avoidance, Risk Reduction, Risk Transfer, Risk acceptance are the ways to treat risk. It is necessary to prioritize risk responses.
Source[http://www.isaca.org/Knowledge-Center/Research/Documents/Risk-IT-Framework-Excerpt_fmk_Eng_0109.pdf]
Deepali Kochhar says
3 In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The three processes included in IT risk framework are:
Risk Governance: This ensures that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk adjusted return. This may include Integration with ERP, making risk-aware business decision, establishing and maintaining common risk view.
For example, establishing common guidelines and procedures to be followed by employees within the organization.
Risk Evaluation: Ensure IT related risks and opportunities are identified, analyzed and presented in business terms. This may include risk analysis, maintaining risk profile and collecting data.
For example, collecting and analyzing access logs to verify authorization and authentication.
Risk Response: Ensure that IT related risk issues, opportunities and events are addressed in a cost effective manner and in line with business priorities. This includes managing and articulating risk as well as reacting to the events.
For example, in an event of server downtime, the secondary server is up as a part of disaster recovery.
Said Ouedraogo says
Risk Appetite: “ The degree of uncertainty an entity is willing to take on in anticipation of a reward.”
Risk Tolerance: ”The degree, amount, or volume of risk that an organization or individual will withstand.”
Said Ouedraogo says
While risk appetite is about the pursuit of risk, risk tolerance is about what an organisation can actually cope with. In fact, risk appetite is the amount and type of risk that an organization is willing to pursue or retain and the appropriate level of appetite will depend on the nature of the work undertaken and the objectives pursued.
Whereas, risk tolerance is the specific maximum risk that an organization is willing to take regarding each relevant risk. It’s basically what an organization can afford to lose and how it handles risk.
Folake Stella Alabede says
4. How can an organization respond to any IT risk?
The way organizations respond to risk will be different from organization to organization, depending on how management views the risk in terms of magnitude and how they define their risk appetite and tolerance.
The four basic ways an organization can respond to IT risk:
Avoid.
Risk can be avoided by removing the cause of the risk or executing the project in a different way while still aiming to achieve project objectives. Not all risks can be avoided or eliminated, and for others, this approach may be too expensive or time‐consuming. However, this should be the first strategy considered.
Mitigate
Mitigating risk means that you are reducing risks by implementing controls, fixes or other countermeasures that have a direct effect on the risks identified.
Taking early action to reduce the probability and/or impact of a risk is often more effective than trying to repair the damage after the risk has occurred.
Transfer.
Transferring risk involves finding another party who is willing to take responsibility for its management, and who will bear the liability of the risk should it occur.
Transferring risk can take various forms, including outsourced services. The aim is to ensure that the risk is owned and managed by the party best able to deal with it effectively. Risk transfer usually involves payment of a premium, and the cost‐effectiveness of this must be considered when deciding whether to adopt a transfer strategy.
Accept
Accepting the risk is a business decision that is reflective on the “acceptable risk level,” or the willingness for organization to assume the risk.
This strategy is adopted when it is not possible or practical to respond to the risk by the other strategies. When the decision is made to accept a risk, an agreement is reached to address the risk if and when it occurs. A contingency plan may be developed for that eventuality.
Loi Van Tran says
Folake,
Thanks for the post. For the avoidance description, it seems more of a mitigation to me. But I might be wrong. To me, avoidance means not executing on a project due to the associated risk of the project. The purpose of avoidance is to eliminate the risk altogether. Doing a project a different way, doesn’t necessarily eliminate the risk, but will probably reduce the likelihood and/or impact of that risk (mitigate). For instance, a brick and mortar wants to implement a e-commerce site, but the risk of cyber attacks can not be eliminated. Instead the choose to stay as a pure brick and mortar shop.
Folake Stella Alabede says
Thanks for the observation Loi,
you said “To me, avoidance means not executing on a project due to the associated risk of the project”, that might even still mean mitigating, because i came across all different kinds of definition for risk avoidance while doing my research. one was that – “There is confusion between Avoiding risk and Accepting risk. Avoiding risk means you are going to do nothing with the identified risks” – and i was kinda a little confused about that definition.
so if you choose not to execute on a project – you are still doing something about it, ( what do you think Loi?)
Thanks for pointing this out though, i might dig a little further to better understand risk avoidance. i’ll look for some examples of Risk avoidance in the context of “not doing anything about an identified risk”
Folake Stella Alabede says
Hey Loi,
i was just reading through the blog and saw that Prof Rich has shed some more light on this.
Prof Rich says Risk avoidance is when a company chooses not to pursue a business strategy or activity because of the risk.
so i guess you were right, not everything we read on the internet is perfectly correct right ?
i wonder what category of IT risk “you are going to do nothing with the identified risks” would fall into though
Thanks Loi
Loi Van Tran says
Hi Folake,
I think that the best answer for not doing anything with a known risk would probably fall into Risk Acceptance. Risk acceptance is basically means that no action is taken relative to a particular known risk, and the loss from the risk is accepted when/if it occurs. The company may choose to accept the risk without adding controls or mitigate based on their risk appetite and tolerance. Basically deem that the loss from that risk is negligible.
Paul M. Dooley says
Yes, I agree that not doing anything would fall into risk acceptance, however the prerequisite action is that it was identified and analyzed in order to make an educated decision to do nothing. Ignorance to the risk is not acceptable. Just a different perspective when using terms like “not doing anything.”
Richard Flanagan says
Folake,
I think a good example of an IT risk that many companies just plain avoid is upgrading their legacy systems. Ripping out and replacing those core systems that keep a company running is a very risky move. Many companies decide it is just too risky to do and hence do nothing. Eventually this might hurt them but in the short term it may seem to be the best idea.
Did you read the earlier comment about the company that chose to replace their systems with SAP and then went bankrupt? There are a lot of these examples, as well as examples of SAP successes. Either outcome is possible so its a risk, are you willing to take it or will you just avoid it?
Folake Stella Alabede says
Thank you for the explanation Professor, i definitely read and even commended joseph about the great examples- about the Fox Meyer Drugs SAP Integration and warehouse automation system.
I have another question though, so while writing up on the AWA caselet, the organization choosing to use COBOL that is costing them so much money instead of changing to another programming language would be what type of risk ?
Anthony Clayton Fecondo says
Loi, good catch. I agree. Your definition of avoidance is spot on. An interesting thought that occurred to me is that avoidance could also be a means of mitigation. For example, if you elect to pursue a project, but eliminate small parts of that project to avoid the risk, you are still taking on the risk of the project, but you’re reducing the risk by narrowing the project scope.
I guess my thoughts are, is your approach only considered avoidance if you avoid the entire project (and in doing so, avoid all associated risks). If you practice avoidance only to aspects of a project is that still avoidance or is that a form of mitigation? Perhaps avoidance is really just a subset of mitigation.
Ahmed A. Alkaysi says
Good example Loi. I made the same mistake with defining Risk Avoidance. This particular way to manage the risk is to avoid it altogether by using a different strategy.
Fangzhou Hou says
Jan’s Section
What is the difference between risk appetite and tolerance?
Generally, the risk appetite is the amount and type of the risk that an organization is willing to take in order to meet their strategic objectives, and depending on different sectors, the organization may have different risk appetites. Comparing with the risk appetite, the risk tolerance is more like the degree of variability in investment returns that an investor is willing to withstand.
For example, as for an angle investor who is looking for a high return rate in investment project, he or she may prefer the risk appetite with higher risk, since the risky investment may also bring higher investment return. As for an individual investor who prefer a low risk investment, his or her risk appetite maybe the safe type investment like bonds or insurance. From an organization’s perspective, the risk tolerance means the limitation of the risk to take. Therefore, the risk appetite and tolerance
Source: https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance/
Alexander B Olubajo says
1. What is the difference between risk appetite and tolerance?
The difference between risk appetite and risk tolerance can be found from the definition of both:
Risk appetite is the broad-based amount of risk a company, organization, or other entity is prepared and willing to accept in order to pursue/achieve its mission/objectives. Here, in looking at the risk appetite of an entity, two factors are observed. The first is the enterprise’s objective capacity to absorb loss, e.g financial loss, reputation damage; the second is the managements/culture or predisposition towards taking risk – cautious or aggressive. The two questions mostly associated with risk appetite are:
— What is the amount of loss the enterprise wants to accept in order to pursue a return?
— Do the benefits of taking that risk outweigh its cost?
Risk tolerance is the tolerable deviation from the level set by the risk appetite and business objectives. It is the acceptable variation relative to the achievement of an objective. For example, organizations allowing projects to be overrun by a certain percent of budget and time – that percentage is the organization’s tolerance.
In summarizing both definitions, risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its business objectives, while risk tolerance is the specific maximum risk that an organization is willing to take regarding each relevant risk.
Source: ISACA IT Risk Framework.pdf
Alexander B Olubajo says
2. What three types of IT risk are there? Can you give an example of each?
According to the ISACA IT Risk Framework, IT risk can be categorized into the following three types/ways:
— IT Benefit/Value Enablement Risk: which are the opportunities missed as a result of the enterprise not using technology to improve the efficiency and effectiveness of business processes, or as a means to enable new business initiatives. An example of this could be an enterprise opting to continue using their legacy systems/business application that offer no form of integration with each other just because they want to save money and their employees being used to operating, as opposed to adopting newer easy-to use business applications and systems that are more robust and offer integration amongst them.
— IT Programme and Project Delivery Risk: are the contributions IT makes to new or improved business solutions, usually in the form of projects and programmes. This translates into investment portfolio management. An example of this could be the risk involved when an enterprise decides to invest and roll-out an innovative solution to aid a particular business process/function.
— IT Operations and Service Delivery Risk: majorly deals with aspects of IT systems and services performance, which can bring destruction or reduction of value to the enterprise. An example of this could be an enterprise replacing their old IT operations and service delivery process and implementing a new overly sophisticated / complicated process that may take time for IT personnel and employees to be educated on.
Jason Wulf says
1. What is the difference between risk appetite and tolerance?
Risk Appetite is the amount of risk the organization is willing to accept on a broad level, while Risk Tolerance is the amount of risk the organization will accept on a narrow level such as specific projects or a business unit level. Risk Appetite is typically discussed in strategies by a board of directors or senior management, while Risk Tolerance is discussed in operations with quantitative terms towards acceptable and unacceptable levels.
Anthony Clayton Fecondo says
Jason. you gave a really concise explanation of the difference between risk appetite and tolerance. The definitions from the book were technical and I felt didn’t clearly articulate the difference, but your explanation makes the concept very easy to understand. Thank you!
Jason Wulf says
Thanks,. One of my instructors said “If you can’t state it simply, then you don’t understand it”, unlike another instructor who would write paragraph long sentences with words I had to lookup in the dictionary.
Paul M. Dooley says
Yes, I’ll have to second Anthony’s perspective on the response. Very concise but very clear.
Jason Wulf says
Thank you!
Loi Van Tran says
How can an organization respond to any IT risk?
The four primary response for IT risks are:
Avoidance
When an organization choose not to pursue a project, strategy, or activities because of the risk(s) involved. This is the case when the risks cannot be transferred, the risks can not be cost-effectively mitigated, or does not fall below the define threshold for risk appetite and tolerance.
Reduce/Mitigate
When the organization implement controls to reduce the likelihood of the risk event from happening and/or reduce the impact if the risk event occurred.
Share/Transfer
When a organizations chooses tor reduce the likelihood or impact of a risk be either sharing or transferring the risk to a third-party. Examples include insurance or outsourcing.
Accept
When an organization knows of the risk and is willing to accept the loss when/if it occurs. The decision to accept risks should be made by business management/process owners in collaboration with IT and should be communicated to senior management and the board.
Andres Galarza says
Loi,
I want to emphasize how important the communication to management/board aspect of accepting risk is. Not being able to see an iceberg ahead of you is bad news.
Alexander B Olubajo says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The IT Risk Framework is majorly broken down into three areas. These areas are Risk Governance, Risk Evaluation, and Risk Response.
— Risk Governance: In this process an enterprise examines risk. They are to ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return, establish and maintain a common risk view, as well as allowing them to make risk-aware decisions. Here the enterprise has to understand the following essential components of risk governance:
–> Risk appetite
–> Risk tolerance
–> Risk culture
–> Responsibilities and accountability for IT risk management
–> Awareness and communication
— Risk Evaluation: In this process an enterprise which will have accepted risk will have to understand it to know what risks they are being faced with. They ensure IT-related risks and opportunities are identified, analysed by collecting data and presented in business terms. This process allows the enterprise to maintain a risk profile. This process can be carried out from either a “top-down” approach where one starts from the overall business objectives and performs an analysis of the most relevant and probable IT risk scenarios impacting the business objectives, or a “bottom-up” approach where (by staff identify the risks and select them to be evaluated) a list of generic scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise situation. Here the enterprise looks at the following essential components of risk:
–> Actor
–> Threat type
–> Event
–> Asset / Resource
–> Time
— Risk Response: This process is all about an enterprise managing and responding to risk. They ensure IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business objectives. Here an enterprise will look to respond to significant risks they face in some of the following ways:
–> Accept the risk
–> Avoid the risk
–> Share/transfer the risk
–> Reduce/mitigate the risk
Folake Stella Alabede says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
The three processes in the IT Risk Framework are: Risk Governance, Risk Evaluation and Risk Response.
What occurs in each of these three processes:
Risk Governance
Ensure that IT risk awareness exists; risk appetite and tolerance is established and approved by management; IT risk is aligned with the organizations business objectives; there is a measure in place to ensure risks are being addressed.
Risk Evaluation
Define, identify and analyze risks; collect data for risk analysis and maintain a risk profile
Risk Response.
After risk has been evaluated and analyzed, risk response is about managing the defined risk and then responding to a risk event when it occurs by choosing one of the 4 risk response options that have been previously defined (in Question 4- as risk avoidance, risk mitigation, risk transfer and risk acceptance.)
Alexander B Olubajo says
4. How can an organization respond to any IT risk?
An organization can respond to any significant IT risk they face in any of the following ways:
–> Risk Avoidance: this is when an organization will avoid a risk entirely by not engaging in or exiting activities or conditions that gives rise to risk (i.e makes risk come alive). Organizations will avoid certain business opportunities when they see the risk being to high for the potential benefit, the risk for that business opportunity cannot be shared or transferred, and the potential risk is deemed unacceptable by management.
–> Risk Reduction or Mitigation: is when an organization takes certain action to detect the presence of a risk followed by actions to reduce the frequency and/or impact of that risk. An Example of ways some organizations may look to do this could be by introducing and putting a number controls (preventative, detective, and corrective) in place in order to reduce the frequency of an adverse event happening and/or the business impact of an event, should it happen.
–> Risk Sharing / Transfer: this is when an organization will look to reduce the risk frequency or impact by transferring or sharing a portion of the risk. Common / popular ways organizations look to accomplish this is by purchasing insurance to help cover/settle the cost, and by outsourcing part of the IT activities, or sharing IT project risk with the provider through fixed price arrangements or shared investment arrangements.
–> Risk Acceptance: is when an organization doesn’t take any action relative to a particular risk and are ready to accept the loss associated with that risk when/if it occurs. It is assumed that the risk is known by the organization and an informed decision has been made by it’s management to accept it as such. Organizations will in most cases accept a risk due to the probability of the adverse event occurring being low, and if approaches to reduce a catastrophic risk is prohibited.
Xiaodi Ji says
Alexander,
I agree with you idea with Risk Avoidance. Some companies de literately ignore some risks because of the benefit. I believe this is the worst method to solve the problem. There is a example, which Note 7 blow up. At the beginning, when they get report, they do not pay more attention in it and think this is just an individual case. They also think Note 7 blow up because users do not follow the rules. They try to avoid this problem until more and more news show this is no an individual case. This happened because of the structure of itself. Finally, company have to recall all of the cellphone. They want to save interest and reduce the influence of the risk. However, they have to pay more for it.
Therefore, I think this is the dangerous methods. It not only cannot help us solve the risk, but it also can make risk more terrible. However, sometimes company has to use this method to reduce the influence. Thus, company can use this method for some small risk for a short time but they have to find method to solve it in the future.
Alexander B Olubajo says
Xiaodi,
Great example of an huge enterprise company such as Samsung opting to respond to risk. In the case, they obviously chose the wrong way to respond to this risk as it didn’t only backfire on them but also caused them some reputation damage as well as decrease in quality, which will take some time for them to regain.
Thanks for sharing that example.
Binu Anna Eapen says
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk IT is not a standard but a framework and includes process model and good practice guidance. The organizations should/can customize the components provided in the framework to suit their business objectives.. The process model is divided into 3 domains grouping the key activities each containing 3 processes:
• Risk Governance: This ensures that the organization has a risk culture and the risk management practices are embedded from top level to the bottom level. It is concerned with getting optimum returns even after undertaking the risk. The three processes in this include the following
(a) RG1: Establish and maintain a common risk value
(b) RG2: Integrate with ERM
(c) RG3: Make risk-aware business decisions
• Risk Evaluation: This ensures that all the risks are identified, analyzed and presented in business terms. Evaluates the organizations’ willingness to take the risk, defines the risk appetite and calculates the cost involved and make decisions to maximize the return of investment.
(a) RE1: Collect Data
(b) RE2: Analyse Risk
(c) RE3: Maintain Risk profile
• Risk Response: The IT risks that have been identified are then addressed in a cost effective manner and is aligned with the overall business objectives and the priorities set.
(a) RR1: Articulate risk
(b) RR2: Manage risk
(c) RR3: React to events
Binu Anna Eapen says
1. What is the difference between risk appetite and tolerance?
Risk Appetite: It defines the amount of risk that the organization is willing to accept in achieve it mission.
– It broadly considered the level of risk that the management is ready to accept
Risk tolerance: It defines the acceptable level of variation relative to achieve the business objective. That is even if risk is not addressed completely how much can the company can bear without incurring losses or deviating from the set business goals.
– It is narrow and sets the acceptable level of variation around the objective.
Both Risk appetite and risk tolerance change over time with new technologies, new goals, new structure, market conditions, acquisitions and mergers etc.
If two organization has the same risk appetite, the risk tolerance may vary on the basis of the approach they take towards risk: that is whether to mitigate it, transfer it, share it or accept it.
Wen Ting Lu says
1. What is the difference between risk appetite and tolerance?
Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of its business objectives.
Risk tolerance: the specific maximum risk that an organization is willing to take regarding each relevant risk.
In order to make profit and deliver value to shareholders, companies must take risks. They level of risk they pursue is their appetite for risk. Risk appetite is the risk you NEED to take (Strategic). But they may be able to tolerate, or absorb, a different level of risk without significant impact on achieving their strategic objectives. This is their tolerance. Risk tolerance is the risk you PREFER to take (physiological).
Source: https://normanmarks.wordpress.com/2011/04/14/just-what-is-risk-appetite-and-how-does-it-differ-from-risk-tolerance/
Ryan P Boyce says
1. What is the difference between risk appetite and tolerance?
Simply, the difference between risk appetite and risk tolerance is the amount of risk a company or individual wants to consume in the form of projects versus what they can afford to consume in the form of amount of risk that is brought on by those projects. Naturally, implementing an IT project or new IT practice involves incurring some level of risk. A company’s budget, for example, may indicate it is able to incorporate many projects/practices into its portfolio. The risks associated with these endeavors may be too high so, therefore, the tolerance for which they can sustain these projects is such that they cannot implement them. Here, the appetite is very high but the tolerance is low. Expanding or adding IT initiatives is a good thing for companies but not when the risks outweigh the rewards.
Ryan P Boyce says
2. What three types of IT risk are there? Can you give an example of each?
The three processes of the Risk IT Framework are Risk Governance, Risk Evaluation, and Risk Response. In the Risk Governance phase, a company looks at risk as it applies to their IT practices. The biggest area of concern for a company in this area is how large their appetite is for risks associated with It projects versus how tolerant they are or could be of the impact of the risk. Here, also, companies determine high level approaches to IT risk such as the communicating the risk, who will be responsible for the risk, and determining how risk will impact the culture of the business. Next, the Risk Evaluation aspect of the Framework, determines how a company will views the impact of the risk. A major component of the evaluation process is looking at the actual scenario of a risk from beginning to end. This involves looking at the actor, threat type, the event, asset resource affected, and the time which can be the duration of the event or the time taken to detect the event. Lastly, Risk Response, is focused primarily on how a company retaliates after a risk has occurred. This may involve controls that are put in place to remediate the effects of the risk and ensure the risk never occurs again.
Yu Ming Keung says
According to COSO, both risk appetite and risk tolerance are very similar, they both indicate the risks that organization willing to take and accept . However, there are some differences between both based on the measurable acceptance level of risk.
Risk appetite is a higher level statement that considers broadly the levels of risks that management deems acceptable while risk tolerances are more narrow and set the acceptable level of variation around objectives. Risk appetite is defined as the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. Organizations will have different risk appetites depending on their sector, culture and objectives. A range of appetites exist for different risks and these may change over time.
Example:
Risk appetite: A company does not take the risks that can result in loss of revenue and loss of customer
Risk tolerance: A company would take would cause revenue from its top-10 customers to decline by more than 10%
Source:
http://www.coso.org/erm-faqs.htm
Loi Van Tran says
Yu ming, thank you for the post.
From he reading (ISACA – The Risk IT Framework), my understanding of risk appetite and risk tolerance is a little bit different. I look at risk appetite as the outer limit of acceptable risk exposure for the organization, while risk tolerance or exceptions of acceptable risk should not exceed the risk appetite. Risk appetite is more of an overall enterprise level view of aggregated risk exposure. Risk Tolerance are at the lower of the company where the “acceptable’ levels of exposure are defined in policies, but deviations or exceptions will be tolerated as long as it does not exceed the organizations risk appetite.
Paul M. Dooley says
I have to agree with Loi’s description. My understanding is Risk Appetite is in fact the higher level description from an enterprise wide policy in risk acceptance while risk tolerance would be applied more to individual tasks or projects that the company takes on and how much risk the company will accept in taking on the projects.
Ryan P Boyce says
*The response to question 2 above is the response to question 3, In your own words, explain what occurs in each of the three processes included in the IT Risk Framework.
In general, risks associated with IT stem from three areas-hardware, software, and people. Coincidentally, these are the same three areas that make up an information system. Firstly, and arguable the area from which most risk will arise, are people. A very specific example of a human risk in IT is something as simple as a sys admin rebooting the wrong server during upgrades (no coincidence I’m a sys admin giving this example). Regarding hardware, a major risk lies in the unanticipated failure of a disk drive. Data can be written across multiple disk drives in different forms of RAID including mirroring. Hard drive failure is still a major concern even when data is duplicated, however. Lastly, software poses a risk and, especially in the current state of IT with encryption playing a major role, the impact of software risks can be extremely high. Encryption is a key software feature built in to all operating systems now. A risk now exists at the Windows operating system level as there is the potential (albeit a small potential) that the OS faults during its execution of encrypting data.
Ryan P Boyce says
4. How can an organization respond to any IT risk?
In looking at this question from the perspective of responding to a risk before the event happens associated with that risk, a company can respond to any IT risk by mitigating the risk. In theory, any risk can be avoided completely, however some IT practices are mandatory for an organization to function at mission critical levels. Here, it is possible to get rid of the risk altogether but it is not feasible from a business process perspective. In theory, also, it should be possible for a company to mitigate an IT risk. Look at the example of how data is written to disk drives to enable redundancy. Here, in the event one of the drives fails, the data can still be retrieved, thus effectively mitigating the risk of losing data. Of course the easiest of answers to this question and one which can be argued to apply to any area of IT, is to take an insurance policy out on a risk facing a company. If internal measures will not suffice, presumably there is some insurance company out there that would insure a loss at what could be a very high rate, but a rate and policy nonetheless.
Anthony Clayton Fecondo says
3. How can an organization respond to any IT risk?
An organization has four options for responding to risk. These options are:
1. Risk Avoidance: the organization can choose not to pursue certain activities in order to avoid risks that it doesn’t feel comfortable with.
2. Risk Acceptance: an organization can understand the risk of a given activity, but not deem it necessary to address and pursue the activity without any efforts to manage the risk.
3. Risk Transfer: an organization can determine the risk associated to a given activity is greater than they feel comfortable handling alone and transfer some of that risk to a third party through insurance, stop-loss coverage, purchase of a warranty, etc.
4. Risk Mitigation: an organization may deem risks associated with certain activities too significant to go un-managed. In these cases, the organization will implement precautions and procedures to reduce either the likelihood of an event occurring or to reduce the severity of an event if it occurs. For example, fire suppression systems are a form of mitigation.
The organization can deploy any option or any combination of these options in order to manage any given risk. Generally these management decisions will be made after carefully analyzing the likely frequency and severity of every event and comparing that risk to the value added by the activity.
Ahmed A. Alkaysi says
All World Airlines Case
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
Risk analysis has been done on the two categories below:
IT Risks:
-Applications have been developed internally, while they can be outsourced, the scheduling and sensitivity analysis systems cannot. There could be an issue with integrating the systems if the company decides to outsource some applications but keep the ones with specific requirements.
-If programming gets outsourced to low-cost locations such as India, there could be a drop in the quality of the code if the research for outsourcing companies is not done well.
-IT needs to be compliant with SOX and PCI regulations, and if not, there could be IT control and/or security issues.
Human Resources Risk:
-The US Programmers will not be able to find jobs easily if fired, if they wanted to conduct this process smoothly, the company would need to invest many resources for a long time in order to assist these programmers to find other jobs.
-Long lead times to fire European programmers would reduce employee morale, which can lead to a reduction of the quality of work and disgruntled employees.
-If outsourcing to a foreign region, there will be cultural, language, and moral/value differences.
-HR would need to determine which employees to fire and which to keep for internal IT operations, the risk can be getting rid of highly skilled employees and remaining employees continue having lower morale.
After looking at these risks, I would not make the decisions to go ahead with outsourcing right now. There are too many issues that need to be vetted before even determining to outsource IT. An analysis of the risks and how to manage them needs to be conducted. After all this, possible companies to use for outsourcing need to be researched. At this time, the company shouldn’t jump into outsource, and instead spend a bit more time to create a proper risk framework to fully understand them.
Nathan A. Van Cleave says
4. How can an organization respond to any IT risk?
An organization can respond to IT risk in the following ways:
Avoid
Risk can be avoided by removing the cause of the risk or executing the process/project in a different way while still aiming to achieve primary objectives. Not all risks can be avoided or eliminated, and for others, this approach may be too expensive or time‐consuming. However, this is often the first strategy an organization considers.
Transfer
Transferring risk involves finding another party willing to take responsibility for its management, and bear the liability of the risk should it occur. The goal is to ensure that the risk is owned and managed by the party best able to deal with it effectively. Risk transfer usually involves payment of a premium, and the
cost‐effectiveness of this must be considered when deciding whether to adopt a transfer strategy
Mitigate
Risk mitigation reduces the probability and/or impact of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk is often more effective than attempting to respond after the risk has occurred. Risk mitigation may require resources or time and presents a trade-off between doing nothing versus the cost of mitigating the risk.
Acceptance
This strategy is adopted when it is not possible or practical to respond to the risk by the other strategies, or a response is not warranted by the impact of the risk. When a decision is made to accept a risk, management is agreeing to address the risk if and when it occurs.
Loi Van Tran says
All World Airlines (AWA) has to decide whether or not they should outsource their IT because the cost of internal development and IT operations has become too expensive to support. The CIO, Deen Geekbine, was called upon to perform a risk analysis to help the CFO and CEO decide if outsourcing is a viable option for the company. Below is the list of IT and Human Resource risks associated with outsourcing:
IT Risks:
– Risks to confidentiality of information; What type of information will the third-party manage, handle and store? Reservation systems have PII, sensitivity analysis system has competitive components
– Risks to business continuity; Does the provider have BCP/DRP in place for business interruptions? Does it have preventative controls, like redundant systems, for planned/unplanned outages? Does the geographical location make it more prone to natural disasters?
– Compliance Risk; is the third party SOX or PCI-DSS compliant?
– Operational and transaction risks; How is customer support handle? If offshore, would culture differences be important? Can critical processes maintain reasonable uptime? What happens when there are system failures?
Human Resource Risks
– Transition Management: How will employee be transition out of the company? How will knowledge of COBOL programmers be transferred? What sort of severance package will be necessary? What labor laws and regulation will apply?
– Stakeholder Support: Is the company ready for the change? Are stakeholders on board?
– Relationship Management: How would third-parties be managed? What type of governance will be appropriate? How would it be monitored? What is cost to managing cultural differences? What if vendor fails to deliver?
As the article pointed out, IT is not the core business at AWA. Its business is in transportation and in order for it to focus on that, outsourcing IT should be continued. Although IT cost reduction is one of the factors of the decision, its IT resources and operation is quite standard, with a few exceptions, With any strategic business decisions there are inherent risks that goes along with it. The CIO must do his due-diligence and consider all the risks associated with outsourcing. In case of IT- related risks, he must understand how the selected vendor will maintain the confidentiality, integrity, and availability of information to ensure that the transition is a success. To do this he must identify all the relevant risks, assess the risk, and reduce the exposure to acceptable levels.
As in the GlobShop case, IT outsourcing is a huge impact on personnel for any organization. The GlobShop case showed us that if the organization is transparent and engage in open and honest communications about the company’s strategy, then it could have positive impacts on the personnel affected by the change. The company has to ensure that it is taking steps to help the transition of affected employees, provide some sort of severance pay structure, and come up with temporary retention strategy to exchange knowledge for specialized applications. Doing this won’t necessary mean that everybody will be on board, but it does help to know that the company cares about their employees and not just the business.
Andres Galarza says
Loi,
Fantastic breakdown. In particular, the care you take to mention what AWA should do with the employees that are affected by outsourcing really stands out.
Mengxue Ni says
What is the difference between risk appetite and tolerance?
Risk appetite
PMBOK Guide, fifth edition defines it as “The degree of uncertainty an entity is willing to take on in anticipation of a reward.” It is the level of risk that an organization is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk. Risk appetite allows organizations to determine how much they are willing to take risks in order to innovate in pursuit of objectives.
Risk Tolerance
PMBOK Guide, fifth edition defines it as “The degree, amount, or volume of risk that an organization or individual will withstand.” It is more granular and affects individual risks. Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.
Risk tolerance is the level of risk that an organization can accept per individual risk, whereas risk appetite is the total risk that the organization can bear in a given risk profile, usually expressed in aggregate. Risk tolerance is related to the acceptance of the outcomes of a risk should they occur, and having the right resources and controls in place to absorb or “tolerate” the given risk, expressed in qualitative and/or quantitative risk criteria. On the other hand, risk appetite is related to the longer term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.
Source: http://enablon.com/blog/2016/09/29/risk-appetite-and-risk-tolerance-whats-the-difference
Neil Y. Rushi says
Risk Appetite is the level of risk an organization is prepared to take on but since every business is different the levels of risk it takes on varies. It differs from risk tolerance because risk tolerance is the amount of the risk an organization is willing to accept.
Paul M. Dooley says
Neil, I definitely think you’re right that both describe how much risk is acceptable for a business to take on over the course of doing business but I believe that risk appetite is a higher level statement that is addressed in the overall strategy while risk tolerance is described in individual tasks or projects that company’s take on.
Sachin Shah says
Well said Neil and Paul. Risk tolerance refers more to day to day work or policies. Where as Risk appetite reflects on the size of a business, I read an article once about how a large franchise like a dunkin donuts is able to take on many risks with their menu items, machinery, and pricing where as a smaller scale coffee\danish franchise like Krispy Kremes or even Federal Donuts can not have that same level of risk appetitie because if those risks fail it may deeply damage a company. While for a Dunkin Donuts it would be a little mishap or hiccup to their overall profitability.
Jason Wulf says
4. How can an organization respond to any IT risk?
An organization’s most common responses to IT risk are to avoid, mitigate, transfer, or accept the risk.
Other response options are Risk Reduction, Risk Limitation, Risk Sharing, and Risk Retention.
Risk Reduction reduces the likelihood and severity of a possible loss. Unlike risk mitigation, this reduces the expected likelihood statistically.
Risk Limitation is a strategy introduced at a higher level that includes both risk acceptance and risk avoidance.
Risk Sharing is sharing with another entity the burden of loss and/or gain and the measures to reduce the risk. Unlike Risk Transfer, this is dividing up the risk with another entity.
Risk Retention is a risk acceptance strategy involving small risks, where the cost of transferring the risk would be greater over time than the losses sustained.
Joseph Henofer says
Jason,
I really like your breakdown of the other response options. I believe that risk sharing and transfer could fall under the same category. For instance, you buy insurance for your car and it gets into an accident. You as the driver have to pay a portion of getting your car fixed as well as the insurance company. With the purchase of insurance, you’re transferring or sharing a portion of the cost to fix your car with another entity if it gets into an accident. Does that make sense?
Jason Wulf says
Hi Joseph,
You made my brain hurt on this one!
You are risk sharing. If the insurance company end ups in court, the original risk will likely revert to you. You have not transferred the risk, you are sharing the risk. As the buyer of the insurance you retain legal responsibility for the losses “transferred”, whereas the insurance is post-event compensatory mechanism.
Risk transfer is a risk management and control “strategy”. This is a broader term that is used interchangeably sometimes incorrectly with risk sharing.
Joseph Henofer says
OK makes much more sense, I guess they wouldn’t fall in the same category. I have seen some articles using these terms interchangeably. I guess I should have done more research to find out what the differences were exactly. Thank you for the detail explanation.
Paul M. Dooley says
What is the difference between risk appetite and tolerance?
Risk tolerance is the amount of risk an enterprise is willing to take in regards to specific business objectives. Risk appetite is a higher level variable of how much risk a business is willing to take in the overall strategy. Both address the amount of risk a company is willing to accept.
Abhay V Kshirsagar says
What is the difference between risk appetite and tolerance?
Risk tolerance is the amount of risk that an organization will withstand. It is often expressed as, for instance, “Our organization will not expose more than 5% of our capital to losses in this line of business” It indicates an organization’s ability to measure the risk and it defines the risk attitude of stakeholders in the measurable acceptance level of risk.
Risk appetite is more about what an organization wants to do and how it goes about it. It is the responsibility of leaders at each level, to define all the important parts of the risk management process and make sure that the risk management exercise throughout the organization matches the appetite. To compare both, the risk tolerance is the level of risk that an organization can accept per risk and the risk appetite is the total risk that an organization can bear in a given risk profile.
Yang Li Kang says
What is the difference between risk appetite and tolerance?
Both risk tolerance and risk appetite can be defined as the level of risk an organization or individual is willing to accept. However, they key difference between the two is is that risk tolerance is more reactive while risk appetite is more proactive. Risk tolerance would be the level of risk the organization is capable of accepting given a specific risk profile. Risk appetite would be the level of risk an organization is willing to accept while pursuing a specific strategy or goal.
Jianhui Chen says
What is the difference between risk appetite and tolerance?
Risk appetite can be defined as ‘the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives. Organisations will have different risk appetites depending on their sector, culture and objectives. A range of appetites exist for different risks and these may change over time.
Risk appetite and tolerance need to be high on any board’s agenda and is a core consideration of an enterprise risk management approach. IRM’s guidance provides practical direction, advice and information to support boardroom debate.
While risk appetite will always mean different things to different people, a properly communicated, appropriate risk appetite statement can actively help organisations achieve goals and support sustainability.
Risk tolerance is an important component in investing. You should have a realistic understanding of your ability and willingness to stomach large swings in the value of his investments; if you take on too much risk, you might panic and sell at the wrong time.
https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-appetite-and-tolerance/
http://www.investopedia.com/terms/r/risktolerance.asp
Jianhui Chen says
What three types of IT risk are there? Can you give an example of each?
• IT benefit/value enablement risk—Associated with missed opportunities to use technology to improve efficiency or effectiveness of business processes or as an enabler for new business initiatives. Example technology enabler for new business initiatives. Technology enable for efficient operations.
• IT programme and project delivery risk—Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes as part of investment portfolios. Project quality. Project relevance. Project overrun.
• IT operations and service delivery risk—Associated with all aspects of the business as usual performance of IT systems and services, which can bring destruction or reduction of value to the enterprise. IT service interruptions, security problems, compliance issues
ISACA– COBIT 5
Noah J Berson says
1. What is the difference between risk appetite and tolerance?
Risk appetite is how much and what kind of risk an organization is willing to take to fulfill its objectives. A nuclear power plant will have almost no appetite compared to other organizations. Risk appetite can help an organization determine if its innovating enough or being cautious enough. Risk tolerance is about the variance an organization can accept for a specific risk. This could be if they only like sure things or if they will go for long shots.
Kevin Blankenship says
What is the difference between risk appetite and tolerance?
Risk appetite is the amount of risk an organization is willing to accept on a broad level.
Risk tolerance is more focused and establishes the deviation of risk around specific objectives.
Appetite is an object set by the upper management of an organization and creates a larger goal for the whole organization to hit. Tolerance must be managed at a supervisor level, and is up to each one to keep their areas or projects within the variable set.
Folake Stella Alabede says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk as defined by the ISACA RISK IT FRAMEWORK are
1. IT Benefit/Value Enablement Risk
IT benefit/value enablement risks are associated with opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives.
Not all IT risks are negative.
Example could be an organization not choosing to use an ERP SYSTEM to integrate their services (thereby improving business efficiency and effectiveness) and opting to stay with their current (probably disjointed) way of integration
2. IT Program and Project Delivery Risk
These IT risks are associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs.
Examples of the risks are project quality, project relevance, and project overrun.
3. IT Operations and Service Delivery Risk.
IT operations and service delivery risks are associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the company.
Anthony Clayton Fecondo says
All World Airlines is suffering because of an economic downturn and is contemplating outsourcing the IT operating environment in order to dedicate its resources to its primary business. I have performed a risk assessment to determine what IT risks and what human resources risks are involved in this process.
IT risks:
– the service provider can’t provide all of the functionality that the internally developed systems can.
– AWA’s systems were written in COBOL which is a rarer skill set which could make it hard for a service provider to work with.
– To save costs, programming might need to be transferred to a lower cost area. If the company that the programming is outsourced to isn’t properly vetted, this could result in poor quality code.
– if AWA outsources, the service provider will need to be able to interact with the company’s systems and AWA will need to implement a system for vendor access control
– the service provider will have AWA information and that information will need to be kept secured. AWA will need to establish security baselines and audit the service provider to ensure the protection of its data.
– AWA runs the risk of its IT function being disabled if the vendor goes out of business or has a continuity issue
HR risks:
– Non-compliance of removing jobs. Europe has laws governing the elimination of jobs and the HR department will need to be wary of these to ensure compliance.
– Due to poor economic conditions, employees might not find new jobs. This risk should be factored into severance packages.
– unemployment insurance costs for laying people off
Despite the risks, I think that AWA should move forward with outsourcing. Currently, the company’s bottom line is suffering and changes need to be made in order for profits to be recovered. Despite the short-term risks of outsourcing, the long-term value of exchanging a variable cost IT department for a fixed cost service provider will reduce the overall risk to the company and help control costs. Most of the IT risks can be avoided by properly vetting the service provider. Additionally, the service provider specializes in IT. AWA’s core competencies have nothing to do with the IT systems that are being outsourced so it will be easier for AWA to add more value to the market by spending its time on its core competencies rather than on managing reservations.
Joseph Henofer says
Anthony,
Very nice breakdown of risk for AWA. You say most of the IT risks can be avoided by properly vetting to the service provider, wouldn’t this be a risk transfer? I also agree that AWA’s core competencies do not focus on the IT systems and outsourcing would be easier for them to add value. But I will disagree the risk of outsourcing is not beneficial at this time. You stated that the outsourcing company will have AWA’s data and AWA would have to come up with security baselines and audit plan for the outsourcing company, which to my knowledge is time-consuming. Wouldn’t it be better to split this move to outsourcing into phases?
Candace T Nelson says
1. What is the difference between risk appetite and tolerance?
Risk Appetite is the amount and type of risk an organization is willing to accept in order to meet its strategic objectives. Risk appetites vary based on the business sectors and the organizations risk culture, including the shared beliefs, values, behaviors and knowledge a group has about risk. There may be different “appetites” for different types of risk, and they may change over time.
Risk tolerance is the level of uncertainty an organization is willing to accept in pursuit of a specific objective. Management aligns risk tolerance with risk appetite when considering the relative importance of related objectives. Risk tolerance is tactical; hence, it is narrower in scope than risk appetite.
Joseph Henofer says
The All World Airlines Case
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
IT Risks
Since all of the applications were developed internally, what type of work needs to be done to have the sensitivity analysis, flight and crew scheduling transition to a new system?
How is confidentially data encrypted if outsourcing to other countries?
Financial Risks
If they are discussing the transferring of programming to low cost locations such as India how much are they going to save? Is it worth it?
How much is the buyout bill on the equipment that is currently leased? Would it be beneficial to wait a year before doing the buyout?
I would recommend that AWA continue with its plans to outsource it’s ALCS, but in phases. I believe shifting the ALCS system at once doesn’t allow for an affect transition to outsourcing. If they wait and do a slow transition the current risks can be mitigated. The biggest reason why I think that they should do it in phases is because of the confidential data that the outsourcing company will be controlling. If the confidential data is compromised, then AWA will not only have to be liable financially but their reputation is going to be affected. For a company that is already losing money, they can’t afford to have their customers jump to another airline because the public has no trust with their information.
Candace T Nelson says
2. What three types of IT risk are there? Can you give an example of each?
IT Benefit/Value Enablement Risk – An example of this type of risk is failure to consolidate a group of companies with disparate accounting systems after an acquisition onto a single ERP.
IT Program and Project Delivery Risk – An example of this type of risk is if a team of developers failed to utilize project management tools to keep track of project status, tasks and deadlines.
IT Operations and Service Delivery Risk – An example of this type of risk would be failure to have a disaster recovery plan for a critical system or service.
Richard Flanagan says
Candice,
See Andrew’s examples in the next reply. Your examples seem more contributing factors to me than risks. The risk of non consolidating accounting systems is that management may not know the real financial position of the company. This could affect the quality of their decisions which might result in taking a detrimental action. The negative outcome would be a result of the decision and hence the risk lies there, The accounting situation is a contributing factor but not the risk itself.
Andrew P. Sardaro says
2. What three types of IT risk are there? Can you give an example of each?
The three types of IT risk and examples of each are:
• IT benefit/value enablement risk—Associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives.
Example: Motorola not capitalizing on their mobile phone success and failing to focus on smartphones that can handle E-mail and other data, and rapidly lost share to newcomers like RIM, Apple, LG, and Samsung. (Timeframe 2003)
• IT programme and project delivery risk—Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes. This ties to investment portfolio management (as described in the Val IT framework).
Example: In 1987 California attempted to computerize their departments of motor vehicles, only to abandon the projects after spending millions of dollars. Results showed that the new system was slower than the one it was designed to replace.
• IT operations and service delivery risk—Associated with all aspects of the performance of IT systems and services, which can bring destruction or reduction of value to the enterprise.
Example: In September 2010, Virgin Blue’s airline’s check-in and online booking systems went down due to hardware failure. The outage severely interrupted the Virgin Blue business for a period of 11 days, affecting around 50,000 passengers and 400 flights.
Richard Flanagan says
Andrew, good examples. I particularly like the Motorola example. It shows that doing nothing can be a risk in, and of, itself. We tend to associate risk with change (projects, initiatives, etc.) and evaluate those risks against the known. Unfortunately, we often think that our current state is risk free when in reality it isn’t.
Think about changing jobs. You might have a good opportunity in a new field but be thinking “wow, thats a big risk, maybe I should stay where I am.” You seldom think, “wow, the industry I am in is headed for trouble and I might get laid off so that new job doesn’t seem as risky as where I am now.”
Andrew P. Sardaro says
1.What is the difference between risk appetite and tolerance?
Risk appetite is the amount and type of risk that an organization is willing to take in order to meet their strategic objectives and goals. Organizations will have different risk appetites depending on their sector, and objectives. Risk tolerance as the amount of risk they are willing to take with any specific initiative.
Candace T Nelson says
4. How can an organization respond to any IT risk?
There are four commonly used methods to manage risk, including:
• Risk Avoidance – not performing an activity that may impose risk
• Risk Reduction/mitigation – implementing measures to reduce the probability of risk materializing or exposure to the risk.
• Risk Transfer – shifting risk from one party to another, such as through purchasing insurance, or Risk Sharing – distributing risks among several participants (e.g. entering into a joint venture).
• Risk Acceptance – the cost of managing the risk is acceptable because the risk level is insufficient to justify the cost of voiding the risk.
Andrew P. Sardaro says
4.How can an organization respond to any IT risk?
An organization can respond to any IT risk by using Risk Acceptance, Risk Avoidance, Risk Sharing, or Risk Mitigation.
1. Risk Acceptance: Occurs when the cost of managing a certain type of risk is accepted, because the risk probability involved does not warrant the added cost it will take to avoid that risk. Using the acceptance response strategy means that the risk is known and the severity of the risk is lower than our risk tolerance level
2. Risk Avoidance: Is the elimination of hazards, activities and exposures that can negatively affect an organization’s assets. Overall, not engaging in the activity that brings the risk.
3. Risk Sharing: Risk is reduced by shifting or sharing a portion of the risk with a contracted third party or business partner. Purchasing insurance (defray cost) and outsourcing with a vendor to share the risk of a new endeavor.
4. Risk Mitigate: Most common response to significant risks. This involves mitigating likely hood or impact of the risk. You do this by creating controls (PDC) that lessen the likelihood(preventative) or help recover quickly (corrective).
Kevin Blankenship says
How can an organization respond to any IT risk?
There are four ways an organization can respond to an IT risk.
1) Acceptance. This happens when an organization decides to take on the cost of a particular risk. This is usually done when the cost to prevent this risk outweighs the impact, or the risk is below tolerance levels.
2)Avoidance. This is when the risk is eliminated or dropped by not pursuing the activity that leads to risk.
3)Mitigation. This is when an organization tries to minimize the impact of a risk by using measures that will reduce the impact or likelihood of happened.
4)Sharing. Often this is insurance. The cost of a risk event is split between the organization and a 3rd party. This usually does not decrease the likelihood of an event, but will often reduce the cost.
Ryan P Boyce says
All World Airlines Case:
Of the different areas of risks the CFO has chosen to focus on, IT risks and Financial Risks are most important.
The greatest risks to IT in conjunction with outsourcing are risks to confidentiality, quality of service, operations, and compliance. Confidentiality may be the greatest risk as a company can never be exactly sure how secure the infrastructure is the outsourced applications/data exist on. Unless the outsourcing provider has excellent records of system uptime, quality of service may also be affected. In the industry AWA is in, they are sure to be accepting payment for flights electronically. If AWA decides to outsource its payment processing systems, there is a large risk associated with the disposal of this data by the consulting company.
These IT risks are the basis for all other risks because IT is the area of the company that is being outsourced. Any other risk-financial, human resources, competitive, and reputational-would be the result of an event or loss actually occurring as a result of an IT risk. If the company AWA is outsourcing to faults on their agreement to meet 99.99% uptime of their systems and AWA’s registration service goes down, AWA will surely be hurt financially. If the consultant company fails to dispose of personally identifiable information according to standards, AWA might be sued, thus, damaging their reputation with customers. Finally, if AWA’s consultants are hacked and user information is leaked, the airline’s confidentiality is undermined.
Folake Stella Alabede says
All World Airlines Case
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
My Risk Analysis is focused on the 2 areas below (from risks already identified by the CFO):
IT RISKS
The IT risks that could occur from outsourcing the IT operating environment:
• There are some specific requirements (sensitivity analysis, flight and crew scheduling) that are only available with internally developed solutions
• All systems are written in COBOL; many programmers are retiring, and the available programmers command higher salaries
• Further analysis to be made on transferring programming to low cost locations such as India
• Concern regarding IT compliance to regulatory requirements
• Equipments and data center facilities are currently leased. What becomes of the Leases?
Human Resources (Legal) Risk
• US programmers are located in an economically depressed area; workers with eliminated positions will have problems finding new jobs
• European work rules have long lead times for the elimination of jobs
Based on my risk analysis, I would recommend AWA continue with its plans to outsource it ALCS.
AWA has posted losses for the past 6 quarters because the airline industry has been significantly affected by the economic downturn and many other factors (beyond their control). Outsourcing this function would help them focus on their primary business of transportation, and thereby possibly start recording some profit for the organization.
FOR IT Risks-
The first step I would recommend is to find out the process/how “many” of the other large airlines have successfully entered into outsourcing agreements with their former support functions. (I say successfully because the article says many and not some, if the outsourcing wasn’t so successful, many of the other large airlines would not be opting for it). I am positive some of these other airlines had requirements that were only available with their internally developed solutions, how did they outsource this successfully?
Outsourcing could also address the issue of COBOL programmers commanding higher salaries. Can systems be written in other (probably better) programming language? Does it have to be COBOL ?
Outsourcing this service does not necessitate that the systems have to be written in COBOL. Other programming language might be able to meet the business need and deliver better services than COBOL. Even if AWA eventually decides not to outsource, this might be an area that would help reduce cost drastically – COBOL programmers command high salaries-AWA is an international airline with reservation centers in different companies – imagine they have like 1,000, or 500, or even 200 COBOL programmers all commanding high salaries ?
Equipment and data centers that were leased can also be sub-leased, even though it might be at a lower price. And even if otherwise, AWA has to decide – if they hold on to the lease and keep reporting losses and end up going bankrupt, the leases wont matter.
Again, regarding regulatory compliance and transferring programming to other locations/countries – I still say – find out how the other large airlines have successfully outsourced this function. (The other airlines have to follow the same regulations too)
For Human Resources (Legal) Risk
AWA has to look at the bigger picture and ask the question –should we not talk about eliminating employees because they might have problems finding new jobs and probably keep recording losses that might eventually lead to bankruptcy/ closing shop? Organizations cannot afford to be sentimental. AWA can help with financial planning to help laid off staff by offering tangible assistance with job search, retirement, maybe extended medicals etc. These so-called “career transition services” might be offered in-house or handled by a company specializing in providing such assistance.
AWA could start elimination with contract staff and temporary staff, but they have to start somewhere. Not eliminating employees might bankrupt AWA, I say that because – when most organization have financial crisis, the first thing they do (till present) most of the time is lay off staff. This might look like a harsh move sometimes, but the end has to justify the means. Laying off employees could equal business continuity for AWA.
So final recommendations is to determine if they want to outsource completely or gradually.
Again, the way to proceed with this might be to do a research on appropriate and capable outsourcing companies, give like 2/3/4 outsourcer companys a rundown of what AWA wants to outsource and their concerns, and let the outsourcing company come present a demo/Presentation to address concerns and show how the outsourcing will work. (Remember these self-supporting outsourcing companies are vendors for other large airlines in the same business with AWA and who probably outsourced the very same services AWA is planning to now outsource)
Mengxue Ni says
Rich’s section
AWA CASE QUESTION
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
The question is based on the risk assessment, should AWA continue outsourcing their IT function. I would like to assess IT risks and human resources risks for this case.
IT risks
• Loss of control (data and technologies)
• Less flexibility
• Information technology evolves rapidly (signing long-term IT outsourcing contracts is risky)
• Being held hostage IT professionals argue that outsourcing allows the user to become a hostage of the vendor. Company may lose technical staff and be locked into the vendor’s proprietary software and hardware.
Human resources risks
• Risks to the confidentiality of information
• Lack of internal communication
• Job security for regular employee
I would not recommend AWA to outsource their IT function, although it is not the core business function for them, it is very risky to outsource IT function at the moment. They are already posted loss for the past six quarters. Outsourcing IT function won’t help them to recover in a short term, instead it will cost them more because they may need to implement new technologies. They need to figure out some other solutions to reduce the cost.
Xiaodi Ji says
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
IT risks
– Company lose the control of the data which causes some sensitivity information leakage.
– Transfer information for the currently leased equipment to the new equipment may cause files missing.
– Outsourcing program may cannot satisfy enterprise’s requirement.
– Updating currently programs from vender cause many problems.
Human resources risks
– Firing IT employees will cause terrible effect.
– European work rules have long lead times for the elimination of jobs.
– The vender’s employees may cause trouble or cannot meet the demand of the company.
Although they have a lot of risks, I still believe that they should continue with its plans to outsource it ALCS. The first reason is that they should pay more attention on improving their server or their core business. Now, airline is very hard. They have to put all of their energy in airline such as creating new air line, supporting enough flights, decreasing delays, and so on. In this case, they cannot spend money in IT, which will cause system become more and more unsafe and slow.
The second reason is that it is quite expensive for hiring a advance department. Reservation system had significant meaning for the company because this is the first impression for the users. In order to build this system, company has to hire many advance programmer which spend a lot of money. Vender is the professional one in this area. They can do it well. In the other hand, if this vender does not work well or managers do not like the style of the design of this vender, they can change vender as soon as possible.
The final reason is that creating good policies for the IT staff when they are fired can solve the human resources risk. Company still need some IT staff maintain their some sensitivity information so they do not need fire all IT employees. Meanwhile, company can pay for them when they transfer their knowledge for vender’s employees. Finally, AWA can hire third-part company to help their employees find other job. All of this looks will spend a lot of money in doing it. However, if AWA still keep IT department, they may not only spend more in it, but they also cannot get valuable system.
Therefore, there are many risks when we consider using outsource. However, in this situation, AWA has to do it to reduce their cost and get better server in IT.
Xiaodi Ji says
How can an organization respond to any IT risk?
There are four responds when an organization meet IT risk.
1. Accept: Accepting known risks. This is quite important because before we can make right decision, we have to know what risks we meet. However, this risk have to be an obvious risk. We cannot accept a unknown risks.
2. Avoid: Doing nothing with a known risks. When company meet risk, they choose to ignore it. They may think this risk is not bad enough to effect company, or risk has limited impact.
3. Mitigate: Reducing risk by using reasonable control. Sometimes, company know this risk, but they do not have enough technology to solve this problem or just a few people have this problem. They will use some control to reduce the effect of this risk. Then waiting for the next version to solve this risk.
4. Transfer: Transferring risk to other company. This item likes sharing risk to other company. The specially example is that company buy insurance to reduce loss when this risk come true.
Xiaodi Ji says
1. What is the difference between risk appetite and tolerance?
Risk appetite: This item is about the favor of the risk.
We cannot ensure that a company does not have any risk. Just like nobody can say they do not have disadvantage. Actually, risk or disadvantage can help us improve ourselves. If we can find risk, we can find what will happen and think some method to solve this risk to make company more great.
Risk tolerance: This item is that how much or how big risk a company can handle them. Although some risks can help company improve themselves, big risk can destroy company immediately. However, what kind of risk will be consider to a big risk depends on the size of the company. A small company loss 10 million in one trade be treated as a big risk while it is just a small case for the big company.
Andrew P. Sardaro says
All World Airlines (AWA)
Due to certain factors impacting the airline Industry, All World Airlines has posted loses for their last six quarters. AWA must decide if they will outsource their internal development and IT operations as they have become too expensive to support. Don Geekbine (CIO), was tasked to perform a risk assessment of the outsourcing process.
The following is a list of IT and HR risks associated with outsourcing:
IT risks:
• All AWA systems are written in COBOL, an older programming language, most programmers specializing in this language have retired or are retiring. The IT Provider may not have this skill set to properly support.
• AWA will have to entrust the IT Provider with keeping data secure. Depending on the level of sensitivity, significant Cyber Insurance liability may be required. This will require auditing the IT Provider as to be sure AWA data is being properly protected.
• Sensitivity Analysis Flight and crew scheduling have some specific requirements and need to be handled internally, meaning all AWA systems cannot be handled by the IT Provider.
• AWA will be dependent on the IT Provider for system availability and stability. Do they provide redundant systems, CM processes for planned outages?
• Current data center facilities are leased; will they have to buy out the leases?
HR Risks:
• Do AWA stakeholders support this outsourcing move?
• If choosing an IT Provider in a foreign country you are presented with language, political, and cultural differences.
• What will AWA do to assist employees being let go find new jobs. Will there be extended severance packages?
After reviewing AWA IT and HR risk factors, I recommend outsourcing ALCS to an industry leading IT provider. As the article states, AWA has determined that IT is not their core business. Outsourcing this IT function allows AWA to prioritize their core business as an international airline transportation company and recover some of the financial loss from previous quarters.
Sachin Shah says
What three types of IT risk are there? Can you give an example of each? I will give examples with my job…
1. Benefit/Value Enablement Risks – Using better technology or infrastructure in order to improve performance and processes. My job used to have an outdated datacenter with poor power generator/usb design. We moved out servers to a consulting company owned state of the art facility and now there are limited downtime periods for our systems and the performance of our hardware is optimal.
2. Program/Project Delivery Risks — these IT risks stem from project completion and portfolio management. Basically what are the risks if these projects are not done and not done on time. One year ago many hospitals were slow in accouting for ICD-10 codes which are used nationwide for billing. The hospital accounting department were outdated for months if they did not complete this project and account for each code that refferrred to patient visit type and hence what to bill a patient and insurance company.
3. Operation/Service Delivery Risks – this relates to how a company get offer to do in order top provide better service to its customers. These customers can be clients or internal and many times phone support, hardware support, implementations, or upgrades. An example I have of this is when customers were demanding a upgraded infection control module, yet our vendor needed the users to use windows 7 computers. Most of the users were using windows xp and there was back and forth and we as a department had to explain the risk of nut updating or reimaging pcs would lead to further issues like this.
Sachin Shah says
How can an organization respond to any IT risk?
An organization can respond to IT risk in 4 ways:
1. risk avoidance – i consider this to be when a company pretends there is no problem or risk. Looking the other way or being oblivious when a risk is identified and apparent.
2. risk mitigation – this is the process of reducing risks by putting in measures to counter the risks or fix the risks incase they actually happen
3. risk transfer – this is when a risk is dumped or shared with a third party. We do this at work when we outsource or hire consultants to divide the work and controls for an environment.
4. risk acceptance – this is when a company accepts the risk and know the potential of it happening. This is when a company says if the risk identified occurs that it is a sunk cost as it would cost way to much to put in permanent fix.
Alexander B Olubajo says
The All World Airlines Case
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
–> IT Risks
1. The fact that sensitivity analysis, flight and crew scheduling have some specific requirements that are only available with internally developed solutions will mean that they will risk all that information and will most likely give up control of them.
2. AWA’s current systems were written in COBOL, thus they risk not being able to find IT service providers that will be able to maintain those systems as they may have become obsolete.
3. AWA’s equipment and data center facilities are currently leased, meaning they risk incurring cost on unused resources assuming they are on a fixed contract.
4. AWA’s CIO having not performed a risk assessment before thus risking the whole process in general.
–> HR Risks
1. If they want to go ahead with outsourcing, they have to take into account the European work rules on long lead times for the elimination of jobs as most employees will have to be laid off
2. The fact the US worker are located in economically depressed areas and eliminating them will create the problem of finding new jobs could be a risk HR wouldn’t want to take.
I would recommend AWA continue with its plans to outsource it ALCS primarily and simply because it will enable them the opportunity to better focus on their line of business, which is transportation. Even with some of the financial risks, Human Resources risks, IT risks etc at stake, I think the benefit of outsourcing its ALCS outweighs its cost.
Candace T Nelson says
The All Worlds Airline Case
COMPETITIVE RISKS – In order for AWA to continue to be viable, they will have to maintain ticket prices within reach of their rivals, while continuing to prioritize other customer “wants” including safety, on-time performance, non-stop flights, and all-inclusive fees, to name a few. In an era of economic downturn and increased competition, it seems that the only way AWA will remain viable is if they eliminate costs from non-core functions (e.g. reservations and technical information systems) and devote residual resources to what they do best, which is flying airplanes.
HUMAN RESOURCES RISKS – these risks are a little trickier to assess since there are many factors to consider, including the European work rules and the labor disputes brought on by the economic downturn. Don Geekbine expressed concern over the fact that Detroit is an economically depressed area and that displaced workers would have difficulty finding new jobs if IT were outsourced. The flipside of that risk is that, if AWA goes out of business, none of the workers will have jobs, either in Detroit or in Wiesbaden, Germany.
It seems like the best approach would be to promote early retirement for those employees who are of age or are otherwise willing or eligible. Then, a phased approach where IT Operations in Detroit are outsourced first, while administrative procedures that are required in Germany can be performed. If feasible, the entire scheduling operation can be assumed by a global travel organization that can assume the international IT operations by the time that portion of the business is ready to be shut down.
Based on these analyses, I would recommend that AWAA move forward with their plans to outsource
Ivy M. McCottry says
The three types of IT risk are:
IT Benefit/Value Enablement Risk
IT Program and Project Delivery Risk
IT Operations and Service Delivery
IT Benefit/Value Enablement Risk pertains to not maxing out on efficiency gains enabled by technology. Example: I was in a role where outsourced backup services. The backup services had an analytics function that we did not implement because of how the backup services were distributed. We missed the opportunity to provide service base on qualified demand because we didn’t utilize/exercise the analytics.
IT Program and Project Delivery Risk pertains to risk created by portfolio projects or new solutions. A number of years ago, a large telco intended to purchase another telco. There was a purse associated with the deal. The deal fail through and the purse was still issued. The buyer lost substantial revenue that the takeover company used to later compete with. This is very high level. A more typical example could be projects or programs that go over budget or do not meet schedule timelines.
IT Operations and Service Delivery risk pertains to point of failure opportunities with IT systems and services. Example: Delta’s systems were down for days, not hours, and the glitch impacted operations worldwide, eroding revenue, reputation, and customer satisfaction.
Daniel Warner says
1) What is the difference between risk appetite and tolerance?
a) I think the martini example that was provided was a good example of the difference between risk and tolerance. Risk appetite is refers to how much risk an organization would be willing to endure to achieve their business objective. Risk tolerance is the understanding of how much risk the organization can truly undertake, and how much variability the organization can withstand while still pursuing their objectives. Establishing a foundation of risk tolerance in an organization then allows that organization to account for the amount of risk they are willing to undertake.
Ivy M. McCottry says
What is the difference between risk appetite and tolerance?
My interpretation based on the RISK IT framework
-Risk appetite is the risk a company is willing to accept in accomplishing objectives/the mission.
-Risk tolerance is the degree of flexibility regarding risk that the company has in accomplishing objectives/the mission. For instance, the company has a risk appetite but that appetite has a limit. Everything can’t be allowable/permissible. There have to be some controls in place even for risk taking.
Ivy M. McCottry says
In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
Risk governance sets controls for risk-related matters.
Risk evaluation vets the issues captured or possibly captured through risk governance controls which helps led to a risk profile.
RIsk response addresses mitigating, transferring, accepting, or ignoring risk based on the best options available to the company.
Ivy M. McCottry says
Another view of risk
I found the article interesting because of it’s position on the value and weight of leadership’s voice in risk management. Across the readings, there is consistency with respect to leadership’s role. My exposure to leadership in corporate and public environments has shown me that leadership can have the right rhetoric and behavior and that it’s not for show. Transparency and accountability can be true banners and leadership’s brands. The disconnect is in the interpretation of “doing the right thing” by multiple levels of leadership below senior leadership. I have found that at times, despite the right language and action from the top, others will support top level goals and objectives but not in the same manner that leadership called for. They might create environments that do not promote the right thing (ex. Wells Fargo sales force issues that blew up).
Ivy M. McCottry says
Focus your analysis on identifying all of the risks in two of the five areas identified by the CFO. Ignore the questions at the end of the case. Based on just your risk analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not? Please post your answers on the class blog.
Human Resource Risks
-Retiring programmers
-Outsourcing abroad (India)
-European work rules lead to long lead times which makes outsourcing unattractive
-US programmers are in challenged markets
Financial Risks
-Leased equipment and data facilities
-Costs of maintenance for internally-developed solutions
-Costs of outsourced solutions
-Potential compliance penalties
Although the case notes that the costs of internal development and operations are high, the system seems to be to integral to AWA. This makes me think of IT Service Delivery Risk. The system could serve as a point of failure in operations. I think that if it was a support function, outsourcing wouldn’t be a problem. However, it’s a mission critical function. I would not be comfortable with passing that off to a vendor. I would much rather offload functions like maintenance possibly through staff augmentation where there is still direct involvement.