After an organization has identified all of the risks to the confidential information that it collects, stores, processes, or transmits, a determination of "What to do with those risk elements?" must be made.
Document and Analyze
An organization has only four choices to address all risks that are identified. Those four choices include:
Knowingly and objectively accept the risk
Transfer the risk to another party
Eliminate the risk
Reduce the risk
An organization has the choice to accept identified risk. However, that decision must be made with thorough and comprehensive knowledge of the potential damage or liability that acceptance implies. The acceptance of risk must be made by executive management, and be based upon all of the available information. Executive Management must make this determination clear, and security policies should be updated to reflect the determination.
An organization has the choice to transfer the risky behavior or the risk liability to another party. An example of transferring risk might be obtaining data breach insurance so as to reduce the liability in the event a risk is exploited. Another option is to transfer the risky activity to another party. An example of this might be outsourcing all credit card transactions to a third party that accepts the payment for a percentage of the charged amount.
Another option includes the complete elimination of a risky activity. If risk cannot be reduced sufficiently so that it is acceptable to executive management, and it is not reasonable to transfer that risk to a third party, then an organization may decide to eliminate the risk entirely. In these cases an organization makes an executive decision that the revenue opportunity is not sufficient to justify the residual risk after mitigation strategies are applied.
By far the most popular option is risk reduction. Risk reduction is accomplished by many methods. An organization predominantly employs multiple strategies including those above and implementation of reduction strategies and controls.
Organizations might deploy techniques and controls to reduce risk. Controls typically fall into categories such as:
Controls typically include policies, procedures, practices, processes, technology, logs, checklists, and the like. RISC Management employ experts with extensive experience in these techniques.