So, how can you determine the right amount of money to spend on risk management? The answer isn’t a simple numerical value or percentage, but rather a process of thinking that allows you to better grasp the potential risks of the business as a whole. 

Asking preliminary questions to frame thinking is the best place to start when making a determination.  By considering the key questions below, and reviewing the risks of each area of the business in isolation, you can perceive the bigger picture of potential risks.

Ask yourself:

  • What kind of industry are you in?
  • What kind of personally identifiable information (PII) or sensitive data do we handle?
  • What is the current regulatory landscape of our industry?
  • How complicated are our risks?
  • What are the impact scores of our risks, both individually and aggregated?

Once these questions are answered, take time to dig deeper and examine how security needs vary throughout the company. It is the risk manager’s responsibility to identify these considerations for the CFO to review, but many managers have difficulty articulating and quantifying returns. This is because risk management projects often don’t have end dates or set metrics to report. Working together and communicating is key to understanding the security risks of the company.

As a result of the immense uncertainty surrounding risk management, it’s understandable that many CFOs use benchmarks to compare their spending to others in their industry.

Ask Vital Questions

The process of mitigating risks and interpreting results are both equally important. Keeping costs in line starts with asking the right questions from the very beginning. It’s hard to follow a budget if it ignores essential expenditures that could easily be identified by proper analysis of the risk management program. Asking vital questions about real dollars and business impacts will help to calculate actual costs and anticipated returns from planned projects.

Risks are constantly shifting and changing with business needs and practices. An effective risk management strategy accounts for this need for flexibility. The bottom line is that risk is hard to predict, making it crucial to continuously improve the process.

Create a Comprehensive Plan

Deciding the dollar amount to spend on risk may seem like a guessing game, but breaking it down into categories establishes a clearer picture of where the highest potential risks are. A risk management budget may be broken down differently depending on the needs of the business, but it’s beneficial to first divide it based on technical needs, compliance policies and procedures, and products necessary to run effectively.

Once this basic guideline has been established, more specific expenditures can be laid out. Any good risk management budget leaves room for regular monitoring and constant correction. The spending should be adjusted consistently to account for changing levels of risk exposure.

 Reference Points are Beneficial—But Only as Framework

As a result of the immense uncertainty surrounding risk management, it’s understandable that many CFOs use benchmarks to compare their spending to others in their industry. This gives CFOs the framework they need to prevent the company from falling behind competitors or overlooking security risks that could easily be averted. While these reports can be helpful in getting a general idea of larger industry trends, it doesn’t provide sufficient information to create a plan unique to an individual business.

As reported by’s 2019 State of the CIO survey, nearly one-quarter of organisations (23%) are alloting 20% or more of their IT budget to risk management and security measures. This report surveyed 683 executives across a variety of industries and breaks down how this budget is typically spent. The findings suggest that the majority of the budget is spent keeping up with industry best practices (74%), followed by compliance mandates (69%), responding to a security incident that happened to the organisation (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organisation (29%).

Assessing industry reports can provide insight into how other companies are addressing their security risks, but basing numbers entirely off of industry averages is not an adequate method. CFOs must be aware of how their company may differ due to specific circumstances or goals. Many companies must abide by other factors such as regulatory requirements, customer expectations, and demands of partners.

Don’t Overspend

While it’s important to have a holistic budget that includes every area of potential risk, spending too much on risk management can do little to actually impact risk exposure. It’s crucial that companies identify the defining amount where additional money isn’t justifiable for reducing risk. This point where investing more results in minimal results can be difficult to determine for risk management. It’s impossible to know if a specific risk might be avoided one year but arise next year or in the following years. Not accounting for a specific risk is a costly mistake for any business. Rolling the dice and hoping that something is avoided isn’t a long-term strategy for risk management. Both under-budgeting and over-budgeting for risk can be detrimental. Finding a balance by preparing for the worst while also being careful not to overspend on unlikely scenarios is the best approach to feeling confident in your risk management strategy.