Risk management is the process of determining an acceptable level of risk, calculating the current level of risk, and then either accepting the level of risk (risk acceptance) or taking steps to reduce the acceptable level of risk (risk mitigation).
Let's take a look at what is means to either accept or mitigate risk in your organization.
Risk acceptance indicates that the organization is willing to accept the level of risk associated with a given activity or process. Generally, but not always, this means that the outcome of the risk assessment is within tolerance. There may be times when the risk level is not within tolerance, but the organization will still choose to accept the risk because all other alternatives are unacceptable. Exceptions should always be brought to the attention of management and authorized by either the executive management or the Board of Directors.
Risk mitigation implies one of the following four actions (or a combination thereof):
- Risk Reduction – Reducing the risk by implementing one or more countermeasures.
- Risk Sharing – Sharing the risk with another entity.
- Risk Transference – Transferring the risk to another entity.
- Risk Avoidance – Modifying or ceasing the risk-causing activity.
Let’s take a look at each action a little more closely.
Risk reduction is accomplished by implementing one or more offensive or defensive controls in order to lower the residual risk. An offensive control is designed to reduce or eliminate vulnerability, such as enhanced training or applying a security patch. A defensive control is designed to respond to a threat source (for example, a sensor that sends an alert if an intruder is detected).
Prior to implementation, risk reduction recommendations should be evaluated in terms of their effectiveness, resource requirements, complexity impact on productivity and performance, potential unintended consequences, and cost. Depending on the situation, risk reduction decision may be made at the business unit level, by management, or by the Board of Directors.
Risk Transfer / Risk Sharing
Risk transfer or risk sharing is undertaken when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization. This is often accomplished by purchasing insurance.
Risk sharing shifts a portion of risk responsibility or liability to other organizations. The caveat to this option is that regulations such as GLBA (financial institutions) and HIPAA (healthcare organizations) prohibit covered entities from shifting compliance liability.
Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk appetite and tolerance, and a determination has been made not to make an exception. Risk avoidance involves taking specific actions to eliminate or significantly modify the process or activities that are the basis for the risk. It is unusual to see this strategy applied to critical systems and processes because both prior investment and opportunity costs need to be considered. However this strategy may be very appropriate when evaluating new processes, products, services, activities, and relationships.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.