Once an organization has identified a risk, it needs to decide what (if anything) it
is going to do about it. This is called its Risk Strategy. The extent to
which an organization is prepared to accept a risk is its Risk Tolerance.
The common options are as follows:
- Risk Acceptance. Do nothing or effectively self-insure against the risk. This is the default strategy
if you do nothing. It is also an appropriate strategy if you are a large company with lots of resources and the
impact of the risk is comparatively small. Governments frequently self-insure many risks as they are sufficiently large
to absorb any potential losses and this saves on the difference between insurance premiums and expected losses.
- Risk Transfer. The most common example of this is insurance (paying another company to take the risk), but
other examples include joint ventures (which share the risk) and contracting out operations (which transfers the risk in exchange
for potentially higher costs).
- Risk Avoidance. Change the process or procedure so that the risk is eliminated.
- Risk Mitigation. Adopting changes to operations and procedures or adding additional controls or training to
either reduce the likelihood of a threat occurring, or to reduce the impact of the
threat when it does occur. Business Continuity Planning — pre-planning what the
organization will do in the event of an incident — is sometimes regarded as a
risk mitigation strategy in itself.
In the Risk Assessment Toolkit, the risk strategy is recorded with each Threat to [Item], and
displayed in the Risk Register. Management should check the risk strategies identified in
the Risk Register to ensure that they match the organization's Risk Tolerance.