Risk Treatment

Once a risk assessment has been performed, what do you do about the risk? One of the first things that you’ll need to do is work with stakeholders to treat the risk. This is the process of making a broad statement about what your organization will do. Typically, there are 5 options for risk treatment:

• Accept - Accept the risk without taking any further action.
• Modify - Implement a control that lessens or changes the risk in some way.
• Avoid - Choose to do something altogether different.
• Transfer - In most cases cybersecurity risk transference means insuring against the risk occurring through a cybersecurity insurance policy or creating a shared liability model with a vendor.
• Capitalize – The capitalize option is normally reserved for financial or business risk where there is opportunity to take on additional risk for potential gains.

How you ultimately decide to treat the risk is a function of the organization’s risk appetite which is based on the company’s risk posture. Risk posture is how the organization as a whole feels about risk and it is typically based on things like the organization's size, maturity, and business goals. Risk posture is generally expressed as the organization being risk accepting, risk neutral or risk averse - meaning that the organization is prepared to take on a lot of risk, some risk, or very little risk as a matter or practice. Again, the organization's posture is all a function of how it intends to operate. If a company desires high growth, for instance, it may very well be will to take more risk in an attempt to drive that growth. A organization like this would be risk accepting.

You’ll need to collaborate closely with business stakeholders to understand risk appetite and reach an appropriate risk treatment option. In the case of risk acceptance, your organization may very well require a management exception to accept risk --- a process in which a high-level stakeholder acknowledges the acceptance of risk.