It all starts with the direction and strategy. Risk Response need to be fully aligned with Risk Apetite and Risk Tolerance.
When deciding about risk treatment and risk response we need to take into account following factors:
- on-staff expertise,
- strategic direction,
- legal and regulatory requirements,
- organizational culture.
It´s important to remember that Risk Response is fundamentally a business decision made by managers!
Ok, so how to decide what Risk Response should we choose? How about following 3 steps?
- Document identified risk in Risk Assessment Report and Risk Register.
- Management determines the best response based on business objectives.
- Management develops an action plan and implementation strategy.
Again, remember that it´s not about eliminating or minimizing risk for the sake of eliminating or minimizing it. It´s about alignment with Business Goals.
Hence when choosing response option several factors are being considered. However, one of the essential ones is cost!
And finally… what Response Options do we typically have? Here we go!
- Risk Acceptance
- Risk Mitigation – typically achieved through the implementation of controls (e.g. installing new access control system).
- Risk Sharing/Transfer – e.g. third-party insurance or partnership and outsourcing agreements.
- Risk Avoidance – leaving the activities or conditions that rise the risk – e.g. relocating a data center away from a region with significant natural hazards.
Management is always accountable for accepting the risk. Should be empowered to do so.