Risk Appetite or Risk Tolerance?
The IT Personality Model is used to assess an organization’s unique IT context. The Model identifies three characteristics of the IT Personality. Each characteristic provides an understanding of the organization’s business as it relates to its use and acceptance of IT. (You can find a full description in an earlier post Don’t Force Fit Best Practices.)
Risk is one characteristic of the IT Personality Model. The first time I presented the model I named that characteristic Risk Tolerance. The next speaker at the conference referred back to the Model but called it Risk Appetite. I realized that in naming the characteristic I was using an IT lens. Risk Appetite comes from a business lens. And this is yet another example of business and IT not only speaking different languages, but having a very different meaning for the same concepts.
A great example emanates from the education sector. In education, learning is the core business. And learning is about taking risks, all day, every day. Without risk, learning cannot happen. When I was working in education, we asked teachers what they wanted from IT, the answer was “when I turn it on it has to work”. As IT professionals, we knew exactly how to deliver that level of reliability. We locked everything down! No administrative access to devices. No peer to peer networking. No open source tools. We created an environment that delivered exactly what our business partner asked for, but certainly not what was needed to support the business of learning.
Business is always about taking risks. You could argue that certain sectors are more risk-averse than others, but ultimately without risk a business will stagnate and die. Delivering IT requires the management and mitigation of risk. Controls and processes are in place to ensure the reliability, scalability and sustainability of IT services in the support and enablement of the business. IT is about how much risk can be tolerated while still maintaining service. Business survival requires an appetite for risk.
How often do we have the real conversation about risk? Understanding the corporate risk profile is essential to determining the appropriate IT risk tolerances in your company. A mismatch is a sure path to friction between business and IT.