WHAT IS RISK RESPONSE?
The purpose of risk response is to bring risk in line with defined risk appetite in the wake risk analysis. A response needs to be defined so that future residual risk (i.e., current risk after the risk response is defined and implemented) is, as much as possible (usually depending on available budget), maintained within risk tolerance limits.
RISK RESPONSE: OVERVIEW
Avoid—The enterprise makes changes so that the loss event does not occur; risk is eliminated. Avoiding a risk also means abandoning any possible opportunities associated with the activity.
Share/transfer—Risk is either partially shifted (shared) or completely shifted (transferred) to a third party.
Mitigate—Risk is reduced by performing activities that reduce either the frequency of events or the probable loss. Activities include the implementation of compensating controls or the redesign of processes. Mitigation activities also include measures to limit the loss after an event occurs, such as business continuity and contingency planning, preparedness, and setting up retainer agreements with external firms that provide additional response capabilities.
Accept—Essentially, this option is to do nothing. The enterprise retains the risk.
Increase—The strategic removal of other risk response options (mitigate, transfer) with the goal of increasing one’s risk exposure.
Exploit—If the risk is determined to be positive and below the established thresholds (e.g., appetite), management can take action to exploit the positive aspects of risk.
Efficient and optimized risk response decisions need guidelines and guardrails. For most enterprises, this comes in the form of risk appetite, risk tolerance, and risk capacity thresholds.
- Risk appetite—The broad-based amount of risk an enterprise or other entity is willing to accept in pursuit of its mission (or vision).
- Risk tolerance—The acceptable range relative to the achievement of a given objective (best when quantified in terms of the same unit measure as the related objective).
- Risk capacity—The objective magnitude or amount of loss that an enterprise can tolerate without risking its continued existence.
Information and Technology Risk frameworks guide the risk manager to use risk appetite and tolerance as the starting point when choosing risk response options. If the risk is well below tolerance, the enterprise may choose to accept the risk, focusing resources on risk that exceeds the established thresholds. If the assessed risk exceeds tolerance, the enterprise should choose a method that reduces it.
Risk response is complex. Choosing and optimizing an efficient response goes beyond picking “mitigate” as a default when a risk analysis is complete and is fraught with additional problems like unintended consequences, inefficiencies and moral hazard.
Risk response should be active and continuous, not a passive “set it and forget it” approach. Implementing key risk, performance and control indicators (KRI, KPI, KCI) to serve as early warnings that risk changes may be on the horizon is one way to be proactive. Another is to continuously reassess risk, even risk that is way below tolerance and has long been accepted.
The objective of risk response is to achieve enterprise goals through efficient risk management. The purpose is not risk mitigation. Optimized risk response may mean the strategic acceptance, transference or increase of risk if the analysis supports it.
Risk quantification may be the single most effective tool in identifying and weighing the pros and cons of available options. Enterprises not currently using risk quantification should consider implementing it, at a minimum, to assist in making the most critical strategic risk decisions. Source
How Can ITM Help You?
iTM covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.