Risk managers deal with multiple levels of complexity in a constantly changing threat landscape. There are typically five common responses to risk: avoid, share/transfer, mitigate, accept and increase.
Often, managers employ a combination of response options rather than choosing just one. ISACA’s guidance details the potential benefits and common pitfalls of each response: for example, with risk sharing, moral hazard and inability of a third party to realistically accept risk are some of the common pitfalls, but a potential benefit is that the risk is quantified and spread around to various parties to limit losses.
Enterprises must carefully ensure the following when weighing risk response options:
- The strategy to respond to risk supports the enterprise’s goals, objectives, and IT strategic alignment.
- The strategy to respond to risk does not contradict the enterprise’s value proposition.
- The strategy to respond to risk is aligned with the enterprise’s risk appetite and tolerance.
- The enterprise has the ability, risk maturity, and the appropriate people, processes, and technology to execute the chosen risk response option.
- The enterprise has considered how each risk response option influences the components of risk (loss frequency, loss magnitude and risk velocity).
“Having an optimised risk response process is essential for helping enterprises manage risk efficiently,” says Paul Phillips, CISA, CISM, MBA, ISACA IT Risk Professional Practices Lead. “Each action an enterprise takes to respond to risk can have a ripple effect, influencing other systems and processes. It’s important to understand how the risk response option itself will influence risk and how the option is implemented to move toward an efficient and optimised risk management process.”