Management, compliance & auditing

Risk treatment options, planning and prevention

Infosec
January 4, 2018 by
Infosec

Risk – it’s an inherent part of doing business in any industry or niche. Risks exist in a myriad of forms, ranging from financial to cyber-attacks, and everything in between. However, not all businesses face the same risk, or even the same level of risk within a specific category. In addition to understanding the threats your organization faces, knowledge of how risk treatment options can help mitigate the effects of those threats is important.

What are the types of risk treatment options?

There are several different types of risk treatment options. Of course, it’s helpful to understand what a risk treatment actually is. Really, it’s nothing more than an action taken to help manage or mitigate a risk. A very general example would be installing fire alarms to mitigate the risk of fire within a building.

Of course, before you can take any sort of risk treatment action, you must understand what risk it is that you face. This requires the conduction of a risk analysis. Identifying risks can be done in any number of ways, from studying past projects or incidents to predict what might occur if your company were to take a specific action, to studying current documentation regarding other businesses and the risks they incurred through specific activities, actions or decisions. Once identified, you can then take steps to mitigate or prevent that risk.

You can break risk treatment options down in a number of types:

  • Avoid: Risk avoidance is actually pretty self-explanatory. If a risk is deemed too high, then you simply avoid the activity that creates the risk. For instance, if flying in an airplane is too risky, you avoid taking the flight in the first place, and completely avoid the risk. Another example would be hiring an individual whose references would not recommend rehiring him — by not hiring him, you avoid the risk that he would not be an asset to your company.
  • Transfer: In many instances, you can transfer the risk you take to another party. For instance, insurance companies exist for exactly this reason. You can also outsource the process in which the risk is present to another provider, thereby transferring the risk to the outsource provider.
  • Reduce: Risk reduction is one of the most crucial steps for processes or activities that cannot be avoided, and where risk cannot be transferred to another party. An example of this would be training your staff on how to identify a phishing email, or on best practices involving login credentials and password hygiene.
  • Accept: For some processes and activities, there is no option but to accept the risk. Of course, these instances should only involve low risk, or repercussions that are easily managed. Some risks might be completely acceptable and require you to take no action at all (a missed deadline on an open-ended project schedule, for instance).

Note these risk treatment options do not always reduce risk to nothing. In many cases, there is residual risk that must also be considered. In other instances, secondary risk can have an effect on your company, as well.

What are the steps in developing a risk treatment plan?

Developing a risk treatment plan is essential, but it requires you to follow a few very specific steps. However, before you can begin creating treatment plans, you will need to determine the level of treatment plan necessary at each risk level. For instance, what level of treatment would be necessary for a moderate risk? What about a minor risk? What about a high risk? What improvement opportunities are available?

  • Treatment: The first step in developing a treatment plan is to specify the treatment option you will use, whether that is acceptance, transfer, sharing or something else.
  • Document: Next, you’ll need to create a treatment plan document that outlines the approach you’ll follow.
  • Accountability/Ownership: After creating the outline, you’ll need to determine who is accountable for ensuring the plan is implemented correctly and monitoring it moving forward.
  • Timeline: Finally, you’ll need to set a resolution date — this is the final date by which the situation should be resolved.

Important tips for implementing & monitoring a risk treatment plan

A number of important tips can help ensure risk treatment plans are implemented correctly and monitored accurately. These include:

  • Ensure the right structure is used to support the treatment plan. This may involve additional task delegation.
  • Make sure that adequate resources are available for those involved in risk mitigation.
  • Communication should be a significant concern, not only within the treatment plan, but also with key stakeholders.
  • Accurate, timely risk analysis is the key to ensuring the right risk treatment plan can be developed.
  • Ensure the owner of the treatment plan is able to specify how implementation will be monitored, including key indicators that note increasing or decreasing risk levels.
  • Review treatment plan effectiveness and risk levels regularly through meetings. Include all stakeholders in these meetings.

Common tools used for risk treatment

A number of tools can be used with risk treatment plans, but perhaps the most useful is a risk register. This document details the event in question, the action taken, an outline of the plan that will be followed, the name of the owner and when the situation should be resolved.

Conclusion

Ultimately, risk is present in virtually every business activity, from hiring employees to storing data in the cloud. It is vital that risks be identified, analyzed and evaluated, and then treated with the applicable action. Failure to take any of these steps could put your organization in danger.

Sources:

Infosec
Infosec