Risk Strategy

Once an organization has identified a risk, it needs to decide what (if anything) it is going to do about it. This is called its Risk Strategy. The extent to which an organization is prepared to accept a risk is its Risk Tolerance.

The common options are as follows:

• Risk Acceptance. Do nothing or effectively self-insure against the risk. This is the default strategy if you do nothing. It is also an appropriate strategy if you are a large company with lots of resources and the impact of the risk is comparatively small. Governments frequently self-insure many risks as they are sufficiently large to absorb any potential losses and this saves on the difference between insurance premiums and expected losses.
• Risk Transfer. The most common example of this is insurance (paying another company to take the risk), but other examples include joint ventures (which share the risk) and contracting out operations (which transfers the risk in exchange for potentially higher costs).
• Risk Avoidance. Change the process or procedure so that the risk is eliminated.
• Risk Mitigation. Adopting changes to operations and procedures or adding additional controls or training to either reduce the likelihood of a threat occurring, or to reduce the impact of the threat when it does occur. Business Continuity Planning — pre-planning what the organization will do in the event of an incident — is sometimes regarded as a risk mitigation strategy in itself.

In the Risk Assessment Toolkit, the risk strategy is recorded with each Threat to [Item], and displayed in the Risk Register. Management should check the risk strategies identified in the Risk Register to ensure that they match the organization's Risk Tolerance.