4 Ways to Treat Risk

You’ve done this risk assessment. You’ve talked about monitoring. What do you do with the risks once you’ve assessed them? Well, general principles tell us that there are actually four ways to treat risk within your organization. The first is to avoid it entirely. The circumstances that cause the risk or the core threat are often done by a location or by a special circumstance that if you can remove from the picture, actually removes the risk from the picture. That’s probably the easiest way to avoid risk but not eminently practical across most organizations and most risks that you come across. The second thing you can do is transfer risk. Now, this is commonly done in two ways. In the old-school method, we would take out cyber security insurance. Insurance is a common risk transference setup. You do it for your house all of the time. We have homeowners' insurance so that if my bathroom floods and I get the floor replaced, I’m transferring the risk of the flooding bathroom onto the insurance company. Similarly, cyber security insurance takes the cost of an event and moves them off to an insurance company. Unfortunately, not all risk can be transferred. Reputational risk is going to stick with you no matter what. A breach that occurs that you are responsible for is going to make the news and there’s no escaping that or transferring it away to an insurance company. Similarly, we look to third parties for transferring risk. In this modern day and age, we think of things like cloud service providers or software service providers that work with our organizations to assume some of the risks that we see in our operations. There’s nothing wrong with transferring risk through a service agreement but remember that you remain ultimately responsible for those third-party service providers, and the services they provide. It falls on you to monitor and maintain and manage their compliance just as it does your own. You can also mitigate risk yourself. This is where we talk about typical controls. Everything from locks on your doors, to login protocols, to access control lists on your firewall. All these things exist to reduce the overall risk that’s coming into your environment. You can also accept risk. Now, key to risk acceptance is that there’s no such thing as a fully mitigated risk. You can never remove all of the possibility of a risk occurring. At some point you must accept a risk. Make sure that you, as a company principle, are accepting risks that you can live with. And remember, acceptance of risk falls on the company officership and the board of directors. At the end of the day, those are the individuals in an organization that are empowered to do risk acceptance.  

Related Videos