Risk Treatment & Response Options

It all starts with the direction and strategy. Risk Response need to be fully aligned with Risk Apetite and Risk Tolerance.

When deciding about risk treatment and risk response we need to take into account following factors:

  • on-staff expertise,
  • strategic direction,
  • legal and regulatory requirements,
  • organizational culture.

It´s important to remember that Risk Response is fundamentally a business decision made by managers!

Ok, so how to decide what Risk Response should we choose? How about following 3 steps?

  1. Document identified risk in Risk Assessment Report and Risk Register.
  2. Management determines the best response based on business objectives.
  3. Management develops an action plan and implementation strategy.

Again, remember that it´s not about eliminating or minimizing risk for the sake of eliminating or minimizing it. It´s about alignment with Business Goals.

Hence when choosing response option several factors are being considered. However, one of the essential ones is cost!

And finally… what Response Options do we typically have? Here we go!

  1. Risk Acceptance
  2. Risk Mitigation – typically achieved through the implementation of controls (e.g. installing new access control system).
  3. Risk Sharing/Transfer – e.g. third-party insurance or partnership and outsourcing agreements.
  4. Risk Avoidance – leaving the activities or conditions that rise the risk – e.g. relocating a data center away from a region with significant natural hazards.

Management is always accountable for accepting the risk. Should be empowered to do so.

What to take into account in the context of Risk Response?

Risk Response phase focuses on the decisions made to address identified risk.

Firstly, consider having multiple response options.
Secondly, responses need to be supported by appropriate control measure.
Thirdly, learnings from response options need to be an input into the risk management strategy.

When designing Risk Response several factors need be considered:

  • budget,
  • resources,
  • strategic plans,
  • roadmap to implement changes within reasonable schedule.

Risk Practitioner communicates with Risk Owner. It´s crucial that a Risk Owner is a manager or senior executive. Remember that it´s Risk Owner who manages controls!

Risk Ownership vs Risk Accountability

It´s best to use a practical example:

Risk Ownership: The Head of IT Security might be the risk owner for cyber risks, responsible for implementing and managing security measures.

Risk Accountability: The Chief Risk Officer (CRO) or a Risk Management Committee would be accountable for ensuring that the overall risk management framework is effective and that cyber risks are managed in accordance with the organization’s risk appetite and policies.