How to Calculate Risk Appetite for Third-Party Risk Management

A well-defined risk appetite is the cornerstone of an effective Third-Party Risk Management (TPRM). Without a risk appetite, you have no control over the amount of risk introduced by new third-party vendors, and you can’t design a pathway toward an improved security posture.

Because virtually all vendor risk management processes depend upon the third-party risk standards stipulated in a risk appetite statement, it’s almost impossible to secure your third-party attack surface without a risk appetite statement.

Whether it’s due to complex third-party key risk requirements or a lack of guidance, many organizations are unaware of how to calculate their risk appetite, and as result, their third-party due diligence efforts fail, placing them at a heightened risk of suffering a data breach.

Because cybersecurity risk is the most complex risk category to address in a risk appetite calculation, this post specifically focuses on cybersecurity risk evaluation while delineating the process of calculating a risk appetite for your Third-Party Risk Management Program (TPRM).

Learn how UpGuard streamlines Vendor Risk Management >

The Role of Risk Appetites in Third-Party Risk Management (TPRM)

To ensure your risk appetite is calculated correctly, it’s important to understand its influence on the wider context of Third-Party Risk Management.

Within third-party cybersecurity, an organization’s risk mitigation framework consists of the following components listed in hierarchical order.

• Enterprise Risk Management Framework - The ERM framework outlines a company-wide strategy for managing cybersecurity risks (including third-party risks) and regulatory compliance. The primary objective of an ERM framework is to achieve a consistent risk management culture across all business units.
• Risk statement - A risk statement is a document summarizing the overall risk mitigation intentions of the ERM framework. It’s an organizational-level summary of your security risk tolerance that feeds into the risk thresholds of every business unit’s risk register.
• Risk register - A risk register sits within every business unit in an organization. It specifies the cybersecurity risk threshold of every department to support regulatory compliance within the unique third-party services and products used in each department.
• TPRM security policies - The regulatory compliance and third-party risk requirements outlined in your ERM framework inform the TPRM policies drafted for each business unit.
• TPRM framework - A TPRM framework ties together your risk appetite, ERM framework, and TPRM policies into a security program focused on third-party risk mitigation.

Keeping this high-level overview in mind will prevent a myopic approach to risk appetite calculation - a habitual mistake most businesses make. Your risk appetite is the entire backbone of your third-party risk mitigation efforts, so while calculating it, you need to consider the broader security goals of your organization, as outlined in your business objectives, metrics, and initiatives.

Your risk appetite will help you make more informed decisions about which vendors are safe to onboard, and which will pose too much of a data breach risk.

Learn how to manage service provider risks >

Terms Overview: Inherent Risk, Residual Risk, Risk Appetite, and Risk Tolerance

Being aware of the key terms associated with the risk appetite will be incredibly helpful during its calculation. If you’re already familiar with the foundational concepts of the risk appetite calculation process, feel free to skip ahead to [name of section]

• Cyber risk - the likelihood of a security weakness in an IT network (a vulnerability) being exploited.

At a high level, cyber risk is calculated with the following simple formula:

Cyber risk = threat x vulnerability x sensitivity rating

Where the sensitive rating reflectathe value of data at risk of compromise.

• Risk appetite - The levels of risk a company is willing to accept at an organizational level in order to meet business objectives
• Risk tolerance - The degree of acceptable deviation from the risk appetite. For example, the maximum amount of permissible website downtime following a cyberattack.
• Inherent risk - the total amount of security risks present within an IT ecosystem, in the absence of cybersecurity controls.
• Residual risk - the total amount of security risks present within an IT ecosystem with cybersecurity controls in place

Each business will have a unique level of risk appetite. Benchmarking is of little value. You need to take the time to articulate risk appetite based on your unique risk management goals.

The Risk Appetite Scale

Security risk severity is measured against a risk appetite scale. The analysis of third-party risks against this scale can be represented graphically as a horizontal bar chart, where higher risks extend towards the right of the scale.

There are inherent risks associated with every newly onboarded service provider. When measuring the security risks of a potential vendor, only inherent risks will be measured on the risk appetite scale.

When the threat scenario is restrained with security controls, inherent risks are compressed beyond the risk appetite, into a new risk domain known as residual risk.

Risk tolerance is a band extending from the risk appetite marker. Depending on the scenario, an additional degree of risk could be absorbed beyond the risk threshold and within the risk tolerance band in order to meet specific strategic objectives.

What’s the Difference Between Risk Appetite and Risk Tolerance?

Risk appetite is the acceptable level of risk an organization is willing to absorb to achieve its strategic objectives. Risk tolerance is the degree an organization is willing to deviate from its risk appetite level.

Risk tolerance levels expand a company’s risk appetite limit, increasing its overall risk capacity, which also increases its risk-taking strategy. A conservative risk culture, however, is always safest. Better to be risk-averse and more inclined to strengthen internal controls than to make compensations for the sake of onboarding a desired vendor.

There are different versions of this scale depending on your preferred method of risk evaluation. Here’s an example of risk measurement expressed as a distribution of outcomes.

A risk appetite should be calculated for every foreseeable category of cyber threat across every department in your organization. These calculations will then govern the overarching risk appetite outlined in your risk appetite statement.

How to Measure and Calculate Your Cybersecurity Risk Appetite

The process of measuring and calculating your third-party cybersecurity risk appetite can be broken down into three steps.

Step 1: Identify all Regulatory Compliance Expectations

The fines associated with regulatory non-compliance can have a significant impact on your bottom line, with some fines reaching as high as $7.5 million. Besides being aware of the relevant regulatory requirements in your industry, you need to be aware of the potential degree of non-compliance associated with each individual third-party risk control.

Learn about the list of regulations impacting financial services >

Popular regulations governing third-party security risk exposure include:

• GDPR
• PCI DSS
• HIPAA
• CCPA

Step 2: Identify all Relevant Inherent Risk Categories

The first step to cybersecurity risk calculation is to define the different types of risk categories that will require ongoing monitoring. These categories should be broad enough to address all of the different security risks your organization is likely to face.

In third-party risk management, the outsourcer (your business) carries all of the risks associated with each third-party relationship. This risk potential doesn't end at each individual vendor, even fourth party vendors (each vendor’s third party) impact security posture.

When the security risks between third and fourth-party vendors are combined, the resulting threat landscape can be divided into two groups, outsourcing risks, and service-level agreement (SLA) risks.

Learn how to communicate third-party risk to the Board >

To make the process of brainstorming risk category ideas easier, list all of the corresponding areas of risk in each group.

Outsourcing Risk Examples

• Financial risks
• Strategic risks
• Reputational risks
• Geopolitical risks
• Supply chain risks
• Credit risks

Service-Level Agreement Risk Examples

• Cybersecurity Risks
• Operational risks
• Compliance risks
• Procurement risks
• Regulatory risks
• Legal risks
• Business continuity risks

To maximize efficiency during the brainstorming process, you should aim to only list risks that are relevant to your organization. Sending risk assessments, or questionnaires is a great method of quickly learning about the range of security risks that are present across your third-party network.

Take a tour of UpGuard's risk assessment features >

After nominating your risk categories, you will need to list all of the individual threat events within each category. With little or no experience, this can be a very daunting effort. To speed up the process, you can refer to published risk appetite statements within your industry for inspiration.

Here’s a list of risk appetite statements across three industries with extensive third-party security requirements.

• Finance - European Bank for Reconstruction and Development
• Healthcare - Sydney Children’s Hospital Network
• Technology - Office of the Comptroller

Here are some other helpful risk appetite resources:

• Develop Your Technology Risk Appetite (Gartner)
• Risk Appetite Statements (IRM)

Step 3: Choose a Risk Measurement Methodology

Attributing a criticality weighting to each potential risk is arguably the most complex (and frustrating) component of calculating your risk appetite.

There are two primary approaches to developing a risk rating scale - the quantitative approach and the qualitative approach. Cybersecurity professionals fall into either camp, and the debate over which method is superior continues to this day.

A study by Hubbard Decision Research discovered an interesting (yet predictable) correlation between risk measurement methodology preference and attitudes toward statistics. Cybersecurity professionals with strong opinions against the quantitative method also had the poorest understanding of statistics. 

These findings may help you decide which risk methodology to choose. If statistics isn’t your strong point, the qualitative methodology could make your risk analysis efforts easier. 

But as you approach the decision over which method to subscribe to, keep this in mind:

‍There is always uncertainty in every form of risk measurement.

‍Embracing this comforting fact will save you many hours of frustration while designing your risk rating scale. There’s no need to obsess over the accuracy of your risk appetite calculations, the aim isn't perfection, but rather, to achieve the most confident degree of approximation.

Calculating the Likelihood of Cyber Risk Events

Both risk measurement methodologies are a function of the likelihood of each threat event. The likelihood of some events is easy to approximate. For example, you can safely assume that your organization will often be targeted with phishing emails, so this threat would have a high likelihood. But determining the frequency of most threat scenarios isn’t as easy.

A good model for likelihood estimation can be found in the following resources:

• NIST 800-30 - Guide for Conducting Risk Assessments
• Government of Canada - Harmonized TRA Methodology
• Risk Assessment Summary by Mozilla
• Rapid Risk Assessment by Mozilla

The Quantitative Methodology

The quantitative methodology aims to represent risk appetite as a numerical value for financial loss.

For example:

“Our risk appetite is $5 million of annualized loss.”

Because risk appetite is represented as a financial value, the criticality of all potential cyber threats is determined by the corresponding financial impact of each risk event. Thankfully, you don’t need to perform these calculations by hand, you can use a simulation model to crunch these numbers very quickly - the Monte Carlo simulation is a popular model used for quantitative cyber risk analysis.

You can also use the open-source Python library RiskQuaint for your risk quantification calculations. This Python library was developed by the information security department at Netflix.

Learn more about Cyber Risk Quantification >

To help you understand the common variables in a quantitative cyber risk calculation, here’s a simplified example.

Here’s a simplified example of a quantitative cyber risk calculation:

• Asset Value (AV) = $100,000
• Exposure Factor (EV) = 80%
• Likelihood (Annualized Role of Occurrence, or ARO)= 30%

Impact (Single Loss Expectancy, or SLE) = AV * EV

SLE = 100,000 * 0.80

SLE = $80,000

Risk Value (Annualized Loss Expectancy, or ALE) = SLE * ARO

ALE = 80,000 * 0.3

ALE = $24,000

So the potential yearly loss of potential threats faced by the analyzed asset is $24,000.

This is a very simple example. Usually, multiple contributing factors are considered when quantifying annualized loss including:

• Cost per outage hour
• Outage duration
• Outage frequency
• Frequency of data breaches
• The magnitude of data breaches
• Disaster recovery costs
• Legal liabilities
• Regulatory compliance fines

The process of calculating the likelihood of an event is explained in more detail in the next step.

Because the quantitative method represents threat scenarios in terms of their potential financial impacts, this methodology could be more effective in convincing senior management of the value of risk management program investments. Regardless of your industry, if you want your strategic planning efforts to be taken seriously by decision-making staff, map each of your suggestions to a potential financial impact.

Security ratings can also be used as a tool for quantifying the risk profile of all your third-party vendors. Security ratings offer a reasonably accurate quantification of an organization’s security posture. Reputable tools consider risks of commonly exploited attack vectors and they adhere to the Principles for Fair and Accurate Security Ratings.

Learn more about security ratings >

After quantifying all of the potential risks faced by your organization, you can then make a decision about the maximum annual loss your organization is willing to sustain in any cyber threat event, also known as your risk appetite.

The Qualitative Methodology

The qualitative approach is a much simpler method of determining risk severity which is why it’s the preferred method for many security professionals.

With the qualitative method, the risk rating scale is based on four levels of criticality:

• Critical
• High
• Moderate
• Low

Each level is usually represented with a number ranging from 1 to 4, with 1 representing the most critical level.

• Critical - 1
• High - 2
• Moderate - 3
• Low - 4

Each qualitative evaluation is plotted in what’s referred to as a heat map. The criticality of each event could still be determined by the potentially monetary impacts of each threat event. Here’s an example of low-fidelity qualitative analysis using annualized loss expectancy to determine its criticality levels. The numbers in each square indicate the estimated results of four different threat events. 

After establishing your risk scale, it’s important to get stakeholder approval before defining your risk appetite against this data.

The heat map should be divided into four quadrants, each reflecting the three levels of risk response - accept, monitor and respond.

After plotting all potential risks across the heat map, the required responses for all risks will become clear. 

Understanding your business’s final cyber risk distribution will then allow you to plan an optimal risk tolerance profile that’s supportive of you overarching business objectives.

A risk matrix is a very effective tool for understanding risk distribution across other cybersecurity disciplines where security risk visibility is critical, like Vendor Risk Management. Here's an example of a risk matrix being used to efficiently communicate vendor risk exposure on the UpGuard platform.

Get a free trial of UpGuard >

Which Risk Rating Methodology Should You Choose?

Both methodologies share the same weakness, uncertainty. But by combining the two together, you’ll minimize levels of uncertainty and compound the benefit of both options.

The Factor Analysis of Information Risk model (the FAIR model) is a risk evaluation framework that combines qualitative and quantitative mechanisms. The high level of risk measurement accuracy that’s possible with the FAIR model makes it one of the most popular frameworks for calculating an organization’s risk appetite.

The Importance of Contextualization

After defining your risk appetite, the data from risk assessments can be aligned against your risk appetite to inform each of your response decisions. After benchmarking third-party risk data against your risk appetite, there are four response options available.

When a threat scenario is measured against its corresponding risk threshold, risk management decision-makers have to choose from the following response options:

• Acceptance - Accept the level of risk associated with a given scenario or third-party vendor (for low likelihood and low impact risks)
• Avoidance - Either completely avoid the threat scenario or adjust the series of processes linked to the threat scenario to eliminate risk transfer (for low likelihood and high impact risks)
• Mitigation - Implement security controls to push risks levels below the risk appetite (for high likelihood high impact risks)
• Transference - Completely offset the risk to another party, usually a cyber insurance entity (for high likelihood high impact risks).

For onboarded third-party vendors with established risk controls, the risk assessment data will be an evaluation of residual risks, so ideally, the residual risk level should be less than your risk appetite.

But anyone that has worked in risk and compliance will tell you that most threat scenarios aren’t that easy to resolve. It’s always important to consider the complete context of each threat.

For example, if, after all necessary security controls are implemented, the residual risk associated with a third-party vendor is less than your defined threshold, it would make mathematical sense to assign that vendor a low-risk criticality rating. But when the broader context of the threat scenario is considered, it might be discovered that the vendor has access to your sensitive resources, in which case a high-risk rating is more appropriate.

Third-party risk assessments will uncover each vendor’s level of sensitive data access. These results should then direct the allocation of vendors into criticality tiers. This will allow you to optimize your risk remediation program towards vendors with the highest potential negative impact on your security posture.

Learn how to choose the best cyber risk remediation tool >

TPRM Risk Appetite Calculation with UpGuard

The UpGuard platform includes a series of features that could help you define your risk appetite, and better manage your TPRM lifecycle, including:

• Security ratings - UpGuard can quantify the security posture of all your third-party vendors based on an evaluation of 70+ attack vectors.
• Compliance gap analysis - UpGuard can identify the compliance gaps between vendors and their regulatory expectations by mapping security assessment responses to popular cybersecurity frameworks, like ISO 27001 and NIST CSF.
• Continuous monitoring - UpGuard continuously monitors the entire third-party attack surface to help you quickly identify risks exceeding your risk appetite.
• Risk Assessment automation - Secure the entire Vendor Risk Management lifecycle, including onboarding, to ensure vendor risk exposures always fall within your set risk appetite.
• Managed TPRM - UpGuard offers a managed TPRM service addressing either just youc critical vendors, or your entire TPRM lifecycle.

For an overview of UpGuard's Third-Party Risk Management service, watch this video: