After you perform a risk assessment, what do you do with the results? Find out the answers to that and other common risk assessment questions in part 2 of this series! If you want to learn how to perform a risk assessment, check out part 1 of the blog here.
How do you treat risks?
Several options exist for risk treatment. Management should choose the risk treatment option based on risk appetite and the organization’s risk management policy. The risk treatment options are listed below:
Mitigate: The most common strategy, risk mitigation involves implementing controls to lower the risk to an acceptable score.
Accept: Risk acceptance is when management chooses to accept risk with no further action. This is often because risk is below a certain threshold or because it is a critical part of the business.
Transfer: Risk transfer involves transferring risk to a third party. The most common method is by purchasing insurance. Outsourcing parts of your operations to a third party is also a valid risk transfer option. Just know that third-party risks must be considered in this case.
Avoid: Avoiding risk means that management chooses to completely avoid risky circumstances. This may mean avoiding a new product line or deciding not to hire a vendor.
More information on these treatment options can be found in the ISO 27005 standard.
How do you track risk remediation?
Management must track risks to remediation. Accountability is critical – who should implement the remediation plan, and by what date?
During the regular tactical risk meetings, teams should provide updates to their risks. (Note, see the section How often should you assess risk? in part 1 of this series.) Management reviews and all other remediation documentation should be maintained in a central location. A GRC tool is a common solution for remediation documentation.
What documentation do you need?
A full risk management program will have a suite of documentation supporting it. Below are some of the primary documents you should draft, ratify, and keep updated:
Risk management policy: The risk management policy documents the entire risk management process. This includes meeting cadences, assessment criteria, and applicable treatment strategies.
Risk council charter: The risk council charter gives authority and responsibility to the management group in charge of the risk management process. It should specify the members of the council and their specific duties.
Remediation plans: For each risk identified, management should document the risk description, remediation plan, assignee, and due date.
Remediation documentation: All updates and reviews of risks should be documented. It should be possible to trace a risk from initial identification through remediation and down to final treatment.
A risk management program is governed by a risk management policy. The risk council is empowered by a charter to perform an annual risk assessment with quarterly follow-ups.
During the risk assessment, management should consider risks from various categories, rank identified risks, and create remediation plans. On a regular basis, tactical teams should meet to address their progress on these risks.