Rather than all of a sudden finding yourself in a bad situation, it’s better to see it coming (when possible). Key Risk Indicators (KRI) help with that. Key Risk Indicators are used for measuring the likelihood of something happening and will tell you if that consequence will exceed the organization’s risk appetite. These measurements can be shown as percentages, currency, numbers, values, etc.
Example of Key Risk Indicators
Key Risk Indicators & Risk Appetite - how do they go together?
As mentioned, Key Risk Indicators will tell you if the activity you're planning on doing, or if the appending risk is higher than your risk appetite. So, it makes sense that you first need to know what your risk appetite is (or should be under the GDPR) before you can tell that you've crossed the line.
What should your risk appetite be?
Well, that’s not for me to say but here’s what I can say: as a general rule, you should never exceed what you can’t afford to lose. But not everybody will agree with that. And it also depends on your situation I suppose. For organizations where Time to Market is competitive, they’d be more likely to have a high-risk appetite than for instance an organization that lives off of reputation and long-term commitment who would most likely take less chances and therefor has a lower risk appetite. But, as a side note, we all remember the banking crisis...they spent money they didn't have and mostly the innocent parties got hurt. Let's try to avoid that, shall we.
Visuals of risk appetites
There are many many variables, but to keep it simple I'm showing 3 distinctive risk appetites: low, average and high risk appetites. The colors in the matrices are:
- green (low risk - safe to move forward)
- amber (cautiousness required)
- red (danger zone- get out)
Low Risk Appetite: When an organization would rather not take a lot of risk they tend to set their boundaries very strict and they'd rather play it safe. You'll tend to see more red and amber, meaning that certain actions will very quickly be considered risky.
Average risk appetite: the word 'average' is key. This would be considered most common for most organizations.
High risk appetite: You'll notice that there's a lot of green a.k.a. low risk zones. This means that this organization allows risks to have an extreme impact when it has an unlikely probability. Unlikely still means it can happen, keep that in mind. You could also say, they're taking a calculated risk. They're willing to have moderate impact when the probability of the risk occurring is occasional. Now that's significant, don't you think?
GDPR & Risk Appetite
The GDPR has something to say about this too. The GDPR requires organizations to be able to measure risks by using such matrices as above to determine if a risk is high or not. Now keep in mind that although an organization may be willing to risk a lot when it comes down to their own reputation, the GDPR won't allow such high risks when it affects data subjects. The risk appetite of a personal data processing activity would look something like this:
If your assessment shows that you're in the red zone, under the GDPR you must conduct a DPIA - Data Protection Impact Assessment. To learn more about that, sign up for the 60 Day Privacy & Risk Challenge, where you'll learn when to conduct a DPIA and we'll practice writing a few too or contact me to help you conduct a Data Protection Impact Assessment: //email@example.com" rel="noopener nofollow" target="_blank">
What can you do to move risks from the red zone to the green zone?
We call this your risk response. There are a few things you can do:
- Avoid: When the probability of a risk occurring is high and/or the impact is considered severe you can choose to avoid that risk by making certain it cannot happen. For instance by not holding a specific event, or by not producing a particular product, etc.
- Reduce: You can also choose to reduce the threat by taking certain actions that you can influence.
- Chose a different path: Of course you can also choose to take a different path all together. Or you can move the risk to another date, department or organization. For instance by making sure liability is clearly defined in your processing agreements.
- Sharing risk is something you would most likely do with a joint-controller (see my blog J is for Joint Controller) or an insurance company when you insure yourself against certain risks which could see you receive claims.
- Accept: And last, but not least, you can just accept the risk. When the probability is low and the impact is negligible, just accepting the risk seems the most appropriate thing to do. However, you see car manufacturers accepting risks such as fines to break the rules, because they've calculated that breaking the rules gives them a higher profit that the maximum penalty they could receive. I don't recommend this approach if there are data subjects involved. When it's your own organization and your own downfall, do whatcha gotta do.
Would you like to learn more about Privacy & Risk & DPIA's (Data Protection Impact Assessments)?
Sign up for the 60 Day Privacy & Risk Challenge, starts on February 3rd 2020.