13.- RISK RESPONSE PLANNING.
Deciding how to treat each risk you have identified will involve performing a balancing act between risk versus benefit and risk versus cost and convenience. Treating risks involves making a decision about what will be done about the risks faced by your organization. You need to treat the highest risks first, the treatment should be appropriate to the level of identified risk and generally any cost of treatment commensurate with the potential benefits.
“Acceptable risk (Can we live with this risk?, minor inconvenience?, major problem?) is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss for that risk”.
All organizations need to take on a certain level of risk when conducting business in order to generate returns for their stakeholders. Appetite for risk and tolerance for deviation from objectives must form the basis for determining how to address risks, considering their expected impact and likelihood of occurrence. Risk tolerance can vary from one risk type to another, depending on the importance to the organization’s key mission, values, and objectives.
Risks that present impact and likelihood are typically to be avoided and risk mitigation actions should be undertaken to halt and exit activities that create such risk. Risks that present low impact and low likelihood are typically accepted as part of the cost of doing business. No specific action is deemed necessary to further address these risks. Those risks that fall in between may require measures to reduce the impact and / or likelihood of these risks through strengthening or automation of controls.
If you have decided a risk is unacceptable, there are several options for treating it. Taking a methodical approach: in order to decide on a treatment for each risk, you need to pull them apart and to think about what actions you can take to avoid the factors contributing to each risk you have identified. Following this initial blitz, it will probably be necessary to assign specific tasks to individuals with the capability and authority to effect change, with specified milestones and timelines that are documented and tracked for completion.. You will need a system in place to monitor what everybody is doing, through reporting or perhaps by holding regular meetings where they can report their progress. Put your risk committee or manager in charge of assigning tasks and keeping informed of the progress of each one, and then reporting back to the management board. Successful implementation should translate into reduced risk exposures on the organization’s risk map. Good and constant communication is essential because some actions will take longer than others and different tasks will involve different people.
An inherent risk map provides a quick view of risk that prompts measures and actions. It helps determine which risk areas are most significant and should be the focus of a more detailed assessment or implementation of a specific risk response. It also enables analysis of interdependencies and relative prioritization of risks, and determination of risk responses. In short, the risk map can provide focus for management’s risk agenda.
So how do you decide the best way to treat a particular risk?. Well, it's a balancing act: the balance between risk and benefit (it is very hard indeed to remove every single risk that applies to your organization. In each case, you're going to have to weigh up the risks with the benefits) and the balance between risk and cost or convenience (you need to ensure that the costs of mitigating the risk don't exceed your organization's ability to pay). As with all steps in the risk management process, it is important you keep records of what decisions you have made about treating risks, what actions need to be performed, by whom, and what deadlines or criteria you have set for making sure they get done properly and on time.
Risk management requires with each high and medium level risk identified during the analysis process to do the following:
Risks that present impact and likelihood are typically to be avoided and risk mitigation actions should be undertaken to halt and exit activities that create such risk. Risks that present low impact and low likelihood are typically accepted as part of the cost of doing business. No specific action is deemed necessary to further address these risks. Those risks that fall in between may require measures to reduce the impact and / or likelihood of these risks through strengthening or automation of controls.
If you have decided a risk is unacceptable, there are several options for treating it. Taking a methodical approach: in order to decide on a treatment for each risk, you need to pull them apart and to think about what actions you can take to avoid the factors contributing to each risk you have identified. Following this initial blitz, it will probably be necessary to assign specific tasks to individuals with the capability and authority to effect change, with specified milestones and timelines that are documented and tracked for completion.. You will need a system in place to monitor what everybody is doing, through reporting or perhaps by holding regular meetings where they can report their progress. Put your risk committee or manager in charge of assigning tasks and keeping informed of the progress of each one, and then reporting back to the management board. Successful implementation should translate into reduced risk exposures on the organization’s risk map. Good and constant communication is essential because some actions will take longer than others and different tasks will involve different people.
An inherent risk map provides a quick view of risk that prompts measures and actions. It helps determine which risk areas are most significant and should be the focus of a more detailed assessment or implementation of a specific risk response. It also enables analysis of interdependencies and relative prioritization of risks, and determination of risk responses. In short, the risk map can provide focus for management’s risk agenda.
So how do you decide the best way to treat a particular risk?. Well, it's a balancing act: the balance between risk and benefit (it is very hard indeed to remove every single risk that applies to your organization. In each case, you're going to have to weigh up the risks with the benefits) and the balance between risk and cost or convenience (you need to ensure that the costs of mitigating the risk don't exceed your organization's ability to pay). As with all steps in the risk management process, it is important you keep records of what decisions you have made about treating risks, what actions need to be performed, by whom, and what deadlines or criteria you have set for making sure they get done properly and on time.
Risk management requires with each high and medium level risk identified during the analysis process to do the following:
- Risk acceptance: if the risk is minor or the cost to avoid beyond your capacity to pay, and the reason for the risk is core to your very existence, you may need to consider accepting the risk. Be mindful of the consequences and do not just ignore them in the hope that they will never happen.
- Risk avoidance: the best thing you can do is eliminate the risk completely, if this is possible. An action taken to reduce or eliminate a possible risk can inadvertently affect a related process. Often, this potential effect is neither identified nor investigated.
- Risk reduction: look at alternative solutions that reduce risk. Make changes to the processes, procedures, business culture, people behaviour or infrastructure to reduce the risks. Replace the risk with a lesser risk. Be careful to assess what new risks the substitute may pose.
- Risk transfer: if you're not able to remove or substantially reduce the risk you may be able to shift the burden of the risk on to someone else's shoulders: by hiring subcontractors or sharing the job with another organization.
“Risk responses are expected to bring the level of risk exposure down to defined risk tolerance levels”.
“While some measures may not reduce the likelihood of a risk, they would help reduce the impact to the business if this risk were to occur”.
“While some measures may not reduce the likelihood of a risk, they would help reduce the impact to the business if this risk were to occur”.