Managing risk is not easy despite it often being considered “common sense” since we do risk assessments all the time in our day-to-day life.
Professionally, managing risk can be especially confusing when we need to formalize it and present it to management in a context that helps management make decisions. The reason for the confusion is due to the terms that risk management professionals use at time interchangeably. Two such terms that create confusion are “risk mitigation” and “risk treatment.” To me, risk mitigation refers to the reduction in the level of risk by implementing controls, whereas risk treatment refers to the overall approach for managing risk. ISACA provides the standard meaning for most risk-related terms through its CRISC certification.
It should be noted that ISACA uses the term “risk response” in place of risk treatment. Risk response refers to determining how an organization wants to manage the identified and assessed risk. Every organization wishes that its risk will not impact organizational operations and at the same time be cost-optimal. To achieve these objectives, organizations can choose from multiple risk responses: Acceptance, Avoidance, Mitigation, Transfer/Share and Increase. The challenge then becomes how to determine the mix of different responses to achieve the organization’s objectives for its risk management process.
To help meet the challenge, ISACA has published a new white paper, Optimizing Risk Response. The white paper beautifully illustrates with appropriate examples the most common risk responses, their potential benefits, and common pitfalls associated with each type of response. It also emphasizes the complexity of risk decisions made in a constantly changing threat landscape. The white paper also provides a very solid understanding of the inconsistencies, opportunities, obstacles, strengths and weaknesses inherent in risk response options, enabling readers to understand how to manage risk in a way that aligns with enterprise goals and risk culture.
Apart from enabling readers to better understand risk responses, the white paper details various standards and frameworks for risk management to identify commonalities in terminology and help readers to understand differences among various standards and frameworks. This helps to resolve confusion regarding frameworks and their definitions, though their overall intentions are generally the same.
The publication also helps us understand the influence of risk response options on risk and reiterates the relationship between risk appetite and risk response. It also explains the different terms for risk appetite, risk tolerance and risk capacity so that we can better understand them within the context of risk response.
There are two other particularly interesting aspects of this white paper:
- One risk option can be to exploit or increase the risk. To that end, the white paper explains positive risk, despite many risk professionals believing that risk is always negative. The Project Management Institute, however, contends that positive risk is the risk associated with overachievement. Positive risk represents opportunities. However, if the organization is not in position to use this opportunity to its advantage, it may result in negative risk.
Let me explain with an example. Suppose a caterer started a restaurant with an expectation of X number of customers, but received a positive response and more than X customers lined up for service. In that case, the caterer can’t meet demand because of insufficient resources. This may have a negative impact on his or her reputation. Therefore, we need to consider the positive risk with caution. - Considering loss exceedance can help risk professionals analyze their response. This shows the probability of losses exceeding a predetermined level and provides decision-makers with complete risk information, showing the full range of potential losses stemming from an adverse event.
In its conclusion, the white paper notes that “Risk response is complex. Choosing and optimizing an efficient response goes beyond picking ‘mitigate’ as a default when a risk analysis is complete and is fraught with additional problems like unintended consequences, inefficiencies and moral hazard.”
I consider this white paper to be a must-read for all risk and governance professionals.