Your organization needs to have defined processes in place for completing risk treatment and risk mitigation activities once a risk assessment has been completed. Without these processes in place, risks may be identified during risk assessments but never properly addressed and managed. Treatment and mitigation requirements need to be assigned to clearly defined owners. This helps to ensure that appropriate personnel are held accountable for addressing identified risks in a reasonable timeframe. If not, your organization may fall victim to one of the worst types of risk – one of which you are aware of but do nothing to resolve.
Risk treatment and risk mitigation actions should be prioritized based on the business importance or criticality of impacted systems, probability of risk impact, financial impact, reputational impact, or legal impact. The risk treatment process should determine all activities that are necessary to address or mitigate risks. This process should result in a documented risk treatment plan. Once a risk treatment plan is developed, appropriate risk mitigation should occur to ensure that identified risks are effectively managed.
Understanding Risk Tolerance in Cybersecurity
The risk tolerance of your organization will influence risk treatment decisions and actions. Your risk treatment process should include the need to determine an appropriate response to risk before generating a plan of action. Overall risk treatment and mitigation decisions should include performing a cost-benefit analysis of any planned remediation activities or the implementation of countermeasures.
Risk treatment is generally performed in one of the following ways:
- Risk Avoidance: This approach eliminates risks by avoiding the activity that provides the risk opportunity. For example, the risk associated with the use of wireless networks can be avoided by disabling or not implementing wireless technologies.
- Risk Reduction: Risks can be reduced through the implementation of mitigating controls that reduce the likelihood of occurrence of the risk or impact of the risk. An example would be encrypting data in transit to reduce the risks that threaten the confidentiality of data.
- Risk Transference: Risk can be reduced by shifting risk responsibility to an outside entity. For example, purchasing insurance against fire or flood damage transfers risk associated with these events from your organization to the insurance company.
- Risk Monitoring: If a risk has been identified but not yet well understood, additional monitoring and research may be required to determine the actual impact on your organization. An example of risk monitoring is deferring action of risk until it is better understood and the need to address it is apparent.
- Risk Acceptance: Your organization can choose to accept risks by not implementing any of the above approaches. If acceptance is selected as the method to address identified risks, management acceptance of the risk must be approved by a person who is authorized to accept risk on behalf of your organization.
Pro Tip:
Limit the number of risks that are “accepted” by your organization. Accepting too many risks will eventually defeat the purpose of having a risk management program in place by leaving your organization susceptible to threats versus addressing them properly.
Cybersecurity Risk Assessment Process
The criteria to be used to determine whether an identified risk will be avoided, reduced, transferred, monitored, or accepted should be defined and documented. Regardless of how risks are managed, risk treatment requires careful planning, monitoring, and oversight. Executives, risk management teams, and other stakeholders should be involved in reviewing and acknowledging risk treatment decisions to ensure transparency as well as ongoing support for the process. More than any other area of risk management, assigning risk treatment requires effective and continual communication to drive stakeholder interaction and engagement in the process. Your treatment process should include the following activities:
- Assign a method of treatment to all identified risks based on risk valuation and prioritization
- Update the risk register with treatment decisions
- Develop treatment strategies
- Assign the implementation of treatment strategies to individuals or roles
- Communicate and validate risk treatment decisions and strategies to appropriate stakeholders
A core principle of enterprise risk management is that not all risks can be removed for your organization or any organization. Regardless of risk treatment and mitigation efforts, some level of residual risk will remain. The changing dynamics of the threat and risk environment require ongoing monitoring. The status of any residual risk should be tracked and monitored as your organization’s objectives, risk tolerance, threats, and business operations continue to evolve. If residual risk is not adequately monitored, what is a low priority today can evolve into tomorrow’s risk management failure.
Deeper Dive into the Risk Mitigation Process
Risk mitigation is the process of implementing specific controls to reduce risk. The effectiveness of these controls should be evaluated to ensure they protect against the identified threats or vulnerabilities as intended. Evaluation of these controls can be accomplished with tools that supplement and complement assessment or audit activities. Two examples of these tools are control self-assessments and scenario analysis:
- Control self-assessment: Internal activity to assess the effectiveness of processes and related controls through testing, validation, and review of control evidence.
- Scenario analysis: Process of analyzing plausible future events by considering alternative outcomes.
Additionally, the evaluation of mitigating controls should encompass external requirements, such as laws, regulations, and widely accepted control standards and practices. Failure to comply with external requirements, whether legal, regulatory, or contractual, can result in compliance risk as well as strategic, reputation, or other risks. Conformance with widely accepted control standards and practices can demonstrate due care in the operation of security controls and potentially reduce operational risk.
Conformance with external requirements alone is not sufficient to ensure that the overall process is adequate. The risk management process encompasses risk posed by business operations in your organization’s specific internal and external environment. Accordingly, the risk mitigation evaluation process should consider whether the controls used for mitigation, when combined with other controls included in the cybersecurity program, mitigate the risk as intended.
Look to Vistrada Cybersecurity experts for more information on assessing risks for any enterprise organization.
