Implementing Risk Responses

Last time, I talked about the 3rd point under the COSO guiding principle of Performance, which was Prioritizes Risk. This week, I’ll move on to the 4th point under Performance, which is Implements Risk Responses

Performance has 5 points:

1. Identifies Risk

2. Assesses Severity of Risk

3. Prioritizes Risk

4. Implements Risk Responses

5. Develops Portfolio View

After prioritizing the risks, your organization must evaluate and implement treatment for each risk. Your organization will strive to ensure that a risk is within its risk appetite and risk tolerance in the most cost-effective way. A cost/benefit analysis is usually done on various risk treatment options to determine an optimal and effective solution.

The same should be done within individual business units, and in your case, likely the cybersecurity team. The ERM team will likely lean on you to help identify cost-effective yet impactful solutions to treat a risk.

There are generally four types of risk responses an organization can take:

1. Avoid: Change the strategy to avoid the risk. Avoiding risk is usually considered when there is no cost-effective method for reducing the cybersecurity risk to an acceptable level as defined by the unit's or the organization's risk acceptance and tolerance.

2. Mitigate: Apply risk treatment that reduces the threats, vulnerabilities, likelihood, or impact of a given risk so that the residual risk is within risk acceptance and tolerance.

3. Transfer: Most organizations consider sharing a part of the risk with another when it does not have complete control over the risk. Think outsourcing to a SaaS or investing in cyber insurance

4. Accept: Accept the risk as-is because the risk falls within risk acceptance and tolerance but continue to monitor the risk if the risk falls outside of approved tolerance.

Once you decide on risk treatment and security controls, you should develop a corrective action plan. A corrective action plan is a step-by-step plan of action with defined milestones that risk owners will follow to treat the risk. If the risk register represents the "what," a corrective action plan represents the "how and when."

The development and use of corrective action plans should be part of your organization’s risk management strategy and standardized across the organization, but this requires buy-in as it will inevitably generate work for other teams.

Get this buy-in by identifying how work is surfaced in other teams’ workstreams. If the only projects that get attention are those that get talked about in a weekly scrum meeting, then make sure your initiatives are included there.

Next time well talk about developing a portfolio view.

As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up. Have a great week!