Risk Management
After an organization has identified all of the risks to the confidential information that it collects, stores, processes, or transmits, a determination of "What to do with those risk elements?" must be made.

Document and Analyze

An organization has only four choices to address all risks that are identified. Those four choices include:

-
Knowingly and objectively accept the risk
-
Transfer the risk to another party
-
Eliminate the risk
-
Reduce the risk
Accepting Risk

An organization has the choice to accept identified risk. However, that decision must be made with thorough and comprehensive knowledge of the potential damage or liability that acceptance implies. The acceptance of risk must be made by executive management, and be based upon all of the available information. Executive Management must make this determination clear, and security policies should be updated to reflect the determination.

Transferring Risk

An organization has the choice to transfer the risky behavior or the risk liability to another party. An example of transferring risk might be obtaining data breach insurance so as to reduce the liability in the event a risk is exploited. Another option is to transfer the risky activity to another party. An example of this might be outsourcing all credit card transactions to a third party that accepts the payment for a percentage of the charged amount.
​
Eliminating Risk
​
Another option includes the complete elimination of a risky activity. If risk cannot be reduced sufficiently so that it is acceptable to executive management, and it is not reasonable to transfer that risk to a third party, then an organization may decide to eliminate the risk entirely. In these cases an organization makes an executive decision that the revenue opportunity is not sufficient to justify the residual risk after mitigation strategies are applied.
​
Reducing Risk
​
By far the most popular option is risk reduction. Risk reduction is accomplished by many methods. An organization predominantly employs multiple strategies including those above and implementation of reduction strategies and controls.
Organizations might deploy techniques and controls to reduce risk. Controls typically fall into categories such as:

-
Administrative
-
Physical
-
Technical
Controls typically include policies, procedures, practices, processes, technology, logs, checklists, and the like. RISC Management employ experts with extensive experience in these techniques.