Risk treatment options

- [Instructor] Once you complete a risk assessment for your organization, you're left with a prioritized list of risks that require your attention. Risk management, or risk treatment, is the process of systematically analyzing potential responses to each risk, and implementing strategies to control those risks appropriately. No matter what risk you're managing, you have four basic options for addressing the situation. You can perform risk avoidance, risk transference, risk mitigation, or risk acceptance. Now, when you avoid a risk, you change your organization's business practices so that you're no longer in a position where that risk can affect your business. Earlier, we performed a risk assessment of the risk that flooding posed to an organization's data center. If we chose to pursue a risk avoidance strategy for that risk, we might relocate the data center to a facility where there is no risk of flood damage. Transferring a risk attempts to shift the impact of a risk from your organization to another organization. The most common example of risk transference is an insurance policy. Many organizations are now considering the purchase of cybersecurity insurance policies to protect against the financial damage caused by hackers or identity theft. Now it's important to remember that you can't always transfer a risk completely. For example, you can purchase insurance to cover the financial damage caused by a security breach, but no insurance policy can repair your business's reputation in the eyes of your customers. In our flood risk example, we might choose to transfer the financial risk of our data center flooding from our organization to an insurance carrier by purchasing flood insurance. Risk mitigation takes actions designed to reduce the likelihood or the impact of a risk. If we want to mitigate the risk of the data center flooding, we might engage a flood control specialist to install systems that are designed to divert water away from our facility. In almost every risk assessment, managers find themselves confronted with a very long list of risks and inadequate resources to avoid, transfer, or mitigate all of them. For business reasons, they must accept some of those risks. Risk acceptance should only take place as part of a thoughtful analysis that determines that the cost of performing another risk management action outweighs the benefit of further controlling the risk. In our flooding scenario, we might conclude that all of the other risk management options would be too costly. And then we might decide to continue operations in our current facility as is, and deal with the aftermath of a flood, should it occur. Now, every organization must choose an appropriate mix of these risk management strategies for their own technical and business environment. The combination of risks that affect an organization are known as its risk profile. And the organization adopts risk management strategies to address the risks in that risk profile. The initial level of risk that exists in an organization before any controls are put in place is the organization's inherent risk. Then, controls are applied to reduce that risk. But of course not every risk can be completely eliminated. The risk that remains after the inherent risk is reduced by controls is known as the residual risk. Also, controls themselves may introduce some new risk. For example, if you install a firewall as a risk management control, that may reduce your risk substantially, but it also adds a new risk that the firewall itself may fail. That new risk that results from adding controls is known as control risk. The reality is that organizations will need to accept some ongoing risk in order to continue operations. Business leaders must decide how much risk they choose to accept. This is a process known as determining the organization's risk appetite. The goal of risk management is to make sure that the combination of residual risk and control risk is below the organization's risk appetite.