The SANS Technology Institute

SANS Technology Institute - Risk Appetite Statement

Download PDF (72KB)

Success of the SANS Technology Institute requires managing business and educational drivers to support the mission statement's goal of producing leaders. Examples of some business drivers relate to the need to earn revenue from tuition, alumni donations, etc. Examples of some educational drivers relate to our mission to produce leaders, teaching excellence, quality, recruitment of people with strong leadership potential, etc. Key initiatives are outlined in the 2007-2011 Strategic Business Plan. The College accepts an element of risk in almost every activity it undertakes. The SANS Technology Institute's risk appetite can be determined by answering the question: "How willing is the College to accept risk related to key initiatives, business and educational drivers?" We are going to use a five point scale where:

5 is a High Risk Appetite
A business and educational initiative rated as a 5 means that the institution is willing to accept a high risk of potential injury to staff and students, financial loss or exposure, major breakdown in information system or information integrity, reputation damage, significant incidents(s) of regulatory non-compliance. An example of a 5 might be to sponsor a College football team where the potential for injury to a student is more of an issue of when than if. However, the business benefits of a successful College football team may persuade the governing board to pursue the initiative despite the risk.

4 is a Moderately High Risk Appetite
A business and educational initiative rated as a 4 means that the institution is willing to accept a moderately high risk of potential injury to staff and students, financial loss or exposure, major breakdown in information system or information integrity, reputation damage, significant incidents(s) of regulatory non-compliance.

3 is a Balanced Risk Appetite
A business and educational initiative rated as a 3 means that the institution is willing to accept only a balanced risk of injury to staff and students, financial loss or exposure, major breakdown in information system or information integrity, reputation damage, significant incidents(s) of regulatory non-compliance.

2 is a Low Risk Appetite
A business and educational initiative rated as a 2 means that the institution is not willing to accept risks in most circumstances that may result in risk of injury to staff and students, financial loss or exposure, major breakdown in information system or information integrity, reputation damage, significant incidents(s) of regulatory noncompliance. A 2 score usually means that the institution sees more risk than potential reward in an initiative.

1 is a Risk Averse Appetite
A business and educational initiative rated as a 1 means that the institution is not willing to intentionally accept risks in any situations that may result in potential risk of injury to staff and students, financial loss or exposure, major breakdown in information system or information integrity, reputation damage, significant incidents(s) of regulatory noncompliance. Any item marked with a 1 should have positive controls in place to ensure that harm cannot happen.

The overall Risk Appetite for the College is a 3. Though groups such as the Internet Storm Center may operate at higher risk/reward levels, the College's academic orientation leads to a general preference for balanced risk.

Some of the specific Risk Appetite Factors are shown below:

Ethical Leadership Risk Appetite 1
Without a strong emphasis on ethics, the college cannot be successful in achieving the goals of our mission statement. Ethics and critical thinking will be communicated, modeled and required of all Faculty, Students and Staff.

Academic Reputation Risk Appetite 2
The College will continue to maintain its high standards of academic quality (excellence in teaching, leadership and research; respect for intellectual property (no plagiarism, no cheating); and no falsification of research results. However, the potential for breach exists, tools like turnitin are powerful, but not perfect, and there have been intellectual property issues in the past. For example, the institution noticed possible copyright infringement in two courses, so it instituted a policy of having a subject matter expert review proposed courses to assure there is no copyright violation. An additional risk exists that the College will not be seen as a leader in research: we need to maintain this tradition through the GIAC Gold program.

Faculty Risk Appetite 4
We will only use faculty who can consistently demonstrate teaching excellence. Because we insist on the best, we are at high risk of losing faculty members to headhunters and other job opportunities. Safeguards include generous compensation and continual development of new faculty. In time, we believe our own alumni may be one of our best sources for faculty members.

Student Selection and Retention Risk Appetite 3
We will recruit the best students. We have already raised the requirements for admission twice to ensure the quality of the admitted students remains in line with the mission statement. Retention requires a higher risk appetite. These are very challenging programs and we expect to lose some students.

Community and Relationships Risk Appetite 2
Every effort will be made to ensure students develop relationships with one another as well as Faculty. Reach-out will continue with alumni. The College web site will continue to develop and offer resources to the students and community.

Financial Resources Risk Appetite 2
We will carefully manage expenses, plans and financial commitments to remain within approved budget.

Information Management - Risk Appetite 2
We will continue to apply the same high standards of configuration and security that we teach students to use on our IT resources.

Information Management - Research Systems Risk Appetite 4
Some of the resources available to students for research include malware and other dangerous tools. However, it must be noted that toy swords produce toy swordsmen. We believe the value of allowing students to use these tools outweighs the risks.