Risk Response Strategies

After the residual risk level (inherent risk - IT controls) is determined the gaps are identified. In the light of gaps the organization has to choose one of the following risk response strategies.

Risk Response Strategies for Threats:

1. Avoid - Eliminate the hazards, activities, and exposures that create the risk. This involves a decision by business risk owner and risk committee. Example: decommission an IT framework or component with known vulnerabilities and no fixes.

2. Mitigate - Take steps to reduce negative effects of risk. Example: additional controls

3. Accept - acknowledge that the potential loss does not warrant spending resources. Acceptance is the least preferred strategy and should be documented and periodically monitored.

4. Transfer - contract to shift the risk to another party. Example: insurance

5. Monitor - part of acceptance is to continue to look for secondary risks

Risk Response Strategies for Opportunities:

1. Escalate - contact management to take responsibility for managing the risk

2. Enhance - modify the exposure to make it more acceptable

3. Exploit - take advantage of the benefits from a potential event

4. Accept - acknowledge that the potential gain does not warrant spending resources

5. Share - ownership allocated to the party best able to manage the risk

Guidelines related to Risk Response:

1. Avoid Threat

   Business Owner and Risk Committee should approve the cancellation or postponement of the activity or asset to which the risk is related e.g. project, IT component, provider relationship, contract etc.

2. Mitigate Threat

   IT controls to mitigate risks should be identified and their effectiveness should be evaluated. Business Owner and Risk Committee should approve the controls.

3. Accept Threat

   Should be least preferred option