Digital Risk Appetite Statement
Background
The UC Digital Risk Appetite Statement came from an audit of the IS-3 policy, which identified a need to align location choices with those of UC as an enterprise and support the roles of location Information Security Management Plans in decision support.
Statement
The University of California acknowledges that “digital risk” is inherent in all aspects of its operations, including academic, research, health care and administrative activities. Digital Risk is defined as the risk posed from areas such as cyber security, digital accessibility, data privacy, IT third-party risk management, and emerging technology. UC accepts that the pursuit of its mission requires the acceptance of digital risk within a framework of sound risk management practices and organizational resilience.
UC maintains an overall “cautious” appetite for digital risks as a baseline for its operations. However, given UC’s considerable information assets, containing millions of patient health records and billions in federal funded research, UC has a “minimalist” appetite for risk in our healthcare enterprise and parts of our research enterprise.
As a result, UC makes resources available, aligns business operations across locations and drives system collaboration to identify, prevent, mitigate, and manage digital risks to reasonable levels.
UC recognizes that investing in prevention must be a key component of our risk management strategy. UC recognizes that not all risks can be eliminated, and that taking risks is sometimes necessary to achieve its objectives. UC is committed to managing risk in a transparent, accountable, and consistent manner, in accordance with best practices and applicable laws and regulations.
UC will regularly review and update its risk management policies and procedures, including this Digital Risk Appetite Statement and Guidance, as part of its strategic planning processes to ensure that they remain effective and appropriate to its evolving risk profile. Due to its federated nature, UC recognizes that locations are a key component of its risk management strategy. Campuses support their own digital risk management priorities while simultaneously supporting systemwide initiatives and security strategies. Locations provide unique insight to risk and as such asks UC locations to consistently and transparently report and collaborate on risk. Individual UC business units may choose to adopt a lower risk tolerance as appropriate.
UC Digital Risk Appetite Categories
| Rating | Risk-Taking Philosophy | Appetite for Uncertainty: How willing are you to accept uncertain outcomes? | Choice: When faced with multiple options, how willing are you to select an option that puts this objective at risk? | Trade-Off: How willing are you to trade off this objective against the achievement of other objectives? |
|---|---|---|---|---|
| 5-Open | Will take justified risks | Fully anticipated | Will choose option with highest return; accept possibility of failure | Willing |
| 4-Flexible | Will take strongly justified risks | Expect some | Will choose to put at risk; but will manage the impact | Willing under certain conditions |
| 3-Cautious | Preference for safe delivery | Limited | Will accept if limited and heavily outweighted by benefits | Prefer to avoid |
| 2-Minimalist | Extermely conservative | Low | Will accept only if essential and limited possibility/extent of failure | With extreme reluctance |
| 1-Averse | "Scared" - risk avoidance is a core objective | Extremely low | Will select the lowest risk option, always | Never |