Security Risk Management and Risk Response Options

Proper management of risk is essential to every organisation. Although frequently seen in a negative light, risk is simply an uncertainty of outcome and routinely accompanies new opportunities. Poor risk management can lead to you failing to take advantage of new business or over-extending yourself and throwing away profits.

Having a good risk management process in place will enable you to properly identify and record the risks your face, and what actions you take to deal with these risks. In turn, this record will help inform and drive your future decisions an enable you to take opportunities with a full understanding of what risks underpin your actions.

The Four Ts of Security Risk Response
Four T's of Security Risk Response

A crucial part of risk management is deciding what to do once you have identified a risk.

While the actual measures you take to respond to risk are driven by your organisations culture and requirements, all response options can be grouped into four broad categories.

For each risk you identify, it is good practice to consider options from every category as this gives you the information you need to ensure that your risk response choice is actually a cost effective solution to a risk.

Security Risk Response Options

The four risk response options are:

  • Terminate. This means stopping doing whatever activity is causing the risk. Frequently this option means that you lose any benefits from the risky activity, so it is normally only considered as a last resort option, such as where the other solutions are prohibitively expensive or impractical.
  • Transfer. Transferring risks is the process of getting a 3rd party or other external agency to accept some or all responsibility for the risk – a common example of this is insurance. When transferring a risk it is important to realise that only the “impact” of a risk can be reduced in this manner and that good governance is essential to ensure that this provides suitable coverage.
  • Tolerate. For some categories of risk, it is a prudent business decision to simply accept that it is part of doing business. This is easiest to do when the overall risk is low and any mitigation measures would actually cost more than the harm that could ensue. As part of your overall risk management process, you should set boundaries for how much risk any one business unit / manager or other sub-division can tolerate.
  • Treat. Treating the risk means taking measures that will drive down the risk to the point at which it can be considered to no longer exist, or at least to a level which can be responded to by other means (usually tolerated). When deciding how to treat risk, you should consider how to reduce the probability of the risk occurring or its potential impact. For some risks you will need to implement multiple treatment options to get the risk down to an acceptable level.

Once you have identified your risk response options, through proper documentation it should be easy to determine what is the most suitable choice -for example, if you have a risk which you estimate has a 10% chance of causing £100,000 worth of harm to your business every year, you may decide that spending £200,000 to mitigate it is not a cost effective solution. However if the risk is going to remain for 30 years and the mitigation is a one-off payment, it becomes much more sensible.

Effective risk management helps your business and ensuring you have proper documentation of your actions, and ensuring you properly identify your risk response options is a vital step towards this goal.

Once you have established your risk management processes, it should be second nature for your organisation to properly manage risks. Risk management is there to help your business, not cause problems and if you want assistance developing a risk management strategy for your organisation then contact Halkyn Consulting and we will be happy to work with you to achieve your goals.

Halkyn Security

Halkyn Security Consultants.