Fri Apr 8 06:51:39 PDT 2016

Risk Management: Risks: When does the enterprise avoid, accept, transfer, and mitigate information-related risks?


Options:

Option 1: Avoid Risks
Option 2: Accept Risks
Option 3: Transfer Risks
Option 4: Mitigate Risks

Decision:

Decisions are codified in the following table:
Acceptable

Transferable

Reducible

Action

No

No

No

Do not engage in this - avoid the risk

No

No

Yes

Propose reduction and re-evaluate

No

Yes

No

Insure or avoid the risk

No

Yes

Yes

Balance reduction with insurance cost

Yes

No

No

Accept or avoid the risk

Yes

No

Yes

Balance reduction vs. acceptance cost

Yes

Yes

No

Accept or avoid the risk

Yes

Yes

Yes

Balance all three and optimize

When to accept, mitigate, transfer, and avoid risks

Basis:

Avoid Risks

Risk avoidance is practiced when other alternatives are unacceptable, and usually results in not pursuing business opportunities. Most business people have good reasons for wanting to do the business activities they plan and if information technology becomes a barrier to doing business, the security risks must often be taken just as the financial risks associated with the venture must be taken if success is to be achieved. But risk avoidance is also practiced by many businesses when they have a clear understanding of risks and those risks are truly high.

Accept Risks

Risk acceptance is the most common mode of operation today and it results in the staggering losses we see in the marketplace. When risk management is not properly carried out, residual risk is accepted by default. When proper risk management is undertaken, residual risk is quantified and understood by the decision makers and accepted in a rational decision.

Transfer Risks

Risk transfer typically involves insurance of some sort, but risk is indirectly transferred to shareholders when a risk is accepted, and risk can often be contractually transferred. Contractually transferred risk is a very touchy thing because most companies are hesitant to sue over contractual lapses, suits take a long time, there are limits as to what can be really transferred. Reputation risks don't transfer in any circumstance and thus form a residual risk associated with any risk transfer. Risk transfer is necessary whenever outsourcing anything with substantial consequence, and this is one of the reasons to seriously consider these issues when outsourcing.

Mitigate Risks

Risk mitigation typically involves the implementation of a variety of safeguards intended to reduce risk while leaving an acceptable or transferable residual risk. The form of risk mitigation to be taken is a very complex issue. Many of the security decisions included in this book and most of the time and effort spent in technical information protection deals with risk mitigation issues.

Risk management is at the discretion of top management, however, reasonable and prudent top management often makes selections based on the criteria provided here.

A more complex analysis can be done by weighting acceptability, transferability, and reducibility, and applying metrics, but the cases where such analysis is helpful are quite rare.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved