In this episode of ByteWise Podcast, Daniela, Brian, and Glen chat with Jeff Owen, Chief Operating Officer at Rochdale, a credit union services organization (CUSO) specializing in enterprise risk management (ERM). They delve into the often misunderstood concepts of risk appetite and risk tolerance, emphasizing their importance in the information security and technology space. Jeff shares his insights on defining ERM, establishing risk appetite statements, and integrating them into strategic decision-making. He also discusses the challenges of gaining buy-in for risk management initiatives and provides actionable advice for incorporating risk appetite statements into cybersecurity strategies.
Key Takeaways:
- Defining ERM: Jeff emphasizes the importance of understanding ERM's objectives before jumping into discussions, highlighting the need for a holistic approach that considers the biggest risks tied to organizational objectives.
- Risk Appetite vs. Risk Tolerance: Jeff differentiates between risk appetite (broad, qualitative view of acceptable risk) and risk tolerance (detailed, quantitative boundaries on specific risks).
- Establishing Risk Appetite Statements: Jeff outlines a step-by-step process involving dialogue between the board and executive team, incorporating risk categories and objectives, and creating hypothetical scenarios to gauge risk tolerance.
- Communicating Risk Appetite Statements: Jeff stresses the importance of communicating risk appetite statements to decision-makers across the organization, ensuring they understand and can leverage them in their roles.
- Cyber Risk Appetite: Jeff acknowledges the increased focus on cyber risk from regulators and boards and discusses incorporating cyber risk as a separate risk category in risk appetite statements.
- Integrating Risk Appetite with Strategy: Jeff highlights the value of integrating risk appetite conversations into strategic planning to proactively address risks and opportunities.
- Following Up on Risk Appetite Statements: Jeff suggests identifying measurable risk tolerances, tracking adherence to them, and establishing processes to address breaches.
- Example Risk Appetite Statement: Jeff shares an example risk appetite statement that balances an aggressive strategic plan for partnering with innovative technology providers with the importance of protecting member data and maintaining member confidence.
Guest Information:
Jeff Owen, Chief Operating Officer at Rochdale
