adam's notes

Risk Management Strategies

Risk management strategies describe the proactive and systematic approaches used to identify, assess, prioritize, and mitigate risks to minimize their negative impacts.

  • aka risk treatment

Risk Responses

Risk Avoidance

Risk avoidance is the practice of ceasing activity that presents risk.

  • may decide that the cost/risk of an activity/application is not worth the benefit

Risk Acceptance

Risk acceptance is the response of determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.

  • aka risk tolerance
  • risk level does not justify countermeasures
  • cost of mitigating the risk is greater than the impact of the risk itself

Risk Mitigation

Risk mitigation is the response of reducing risk to fit within an organization’s willingness to accept risk.

  • aka risk remediation
  • by applying security controls to reduce the probability and/or magnitude of a risk

Risk Deterrence

Risk deterrence is the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.

  • aka risk reduction
  • refers to controls that can either make a risk incident
    • less likely
    • less costly
    • or both

Risk Transference

Risk transference is the response of moving or sharing the responsibility of risk to another entity.

  • aka risk sharing
  • e.g., using third-parties or cybersecurity insurance

Risk Management Exceptions

Risk exception is a category of risk management that uses alternate mitigating controls to control an accepted risk factor.

  • a risk cannot be mitigated:
    • using standard risk management practices
    • or within a specified time frame due to financial, technical, or operational conditions
  • formally recognizes the risk and seeks to identify alternate mitigating controls
  • stakeholders must approve all risk exceptions
  • should be temporary and reviewed on an established time frame
    • to determine whether the risk levels have changed or if the exception can be removed

Risk exemption is a category of risk management that accepts an unmitigated risk factor.

  • generally associated with situations where the cost of mitigating a risk:
    • outweighs its potential harm
    • or can lead to significant strategic benefits when accepted
  • must be
    • formally documented and approved by stakeholders
    • periodically reviewed using an established timetable

Residual Risk

Residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

  • has the scope of a single system

Risk Appetite

Risk appetite is a strategic assessment of what level of residual risk is tolerable.

  • is broad in scope
    • project- or institution-wide
  • constrained by regulation and compliance
  • critical in determining
    • which risks are added to a risk register
    • and how they are prioritized

Graph View

Backlinks