Risk management transforms duty to protect into what to protect, selects between risk acceptance, transfer, avoidance, and mitigation, and for risk mitigation approaches, attempts to match surety of mitigation with desired risk reduction.
Risks are generally formed from the combination of threats, vulnerabilities, and consequences. Threats, including nature and accidents as well as individual actors and groups, possibly acting in concert, exploit sequences of vulnerabilities to induce consequences.
Risk evaluation: Risks have to be identified and evaluated in order to be managed. The objective of risk evaluation is to identify event sequences with potentially serious negative consequences based on the business model.
Consequences: These event sequences are identified and rated by consequence, typically into low, medium, and high, or by other means. Low consequence is considered typical of business risks such as slip and fall accidents, and similar event sequences that are readily insurable. Medium risks tend to have serious business impact and include event sequences leading to public relations problems, loss of substantial amounts of trust or money, inability to perform on select important contracts, and so forth. High consequences tend to involve loss of life, great harm to the environment, collapse of the business, and/or jail time to executives.
Threats: For event sequences involving medium or high consequences, threats are assessed with increasing attention and detail for higher consequences. As threats are identified, their capabilities and intents are taken into consideration in assessing the threats. [Drill-Down]
Vulnerabilities: For systems with identified high or medium consequences and whose threats have been assessed as having the capabilities and intents to induce those consequences, vulnerability analysis and mitigation is considered. [Drill-Down]
Risk Treatment: Risk treatment is the process by which risks that are worthy of attention are managed and risks not worthy of consideration are accepted. A risk treatment plan should be identified for all risks identified.
Risk acceptance: Risk acceptance involves a decision by management to accept a given risk without further mitigation or transfer, for a period of time. This happens in two classes of circumstances. For risks that are too low to bother protecting against or for which insurance and due diligence are adequate, risk is accepted. For risks that are to be mitigated but where mitigation cannot be done instantaneously or for which rapid mitigation is too expensive to warrant, risks are accepted for periods during which mitigation is undertaken.
Risk avoidance: Risk avoidance is a business strategy in which certain classes of activities or business processes are not undertaken because the risks are too high to justify the return on investment. A typical example is a decision about the maximum value to be placed in a vault, at a site, or on a truck. This strategy avoids the aggregation of risks associated with placing excessive value in one place. Other similar avoidance strategies such as not opening offices in war zones or not doing business in certain localities are commonplace in business.
Risk transfer: Risk transfer for low consequences is usually affordable and reasonable if some level of reasonable and prudent controls are in place. This meets due diligence standards for low risk systems. Risk transfer for medium and high consequences is rare, expensive, and only justified in cases where the worst case loss is not sustainable and an adequate outside insurance capacity is willing to take on the risk. This is a strategy that loses in the long run for medium and high risks.
Risk mitigation: Risk mitigation seeks to reduce the residual risk by using safeguards to eliminate or reduce the likelihood of event sequences that can cause serious negative consequences. This involves reduction of threats, reduction of the link between threats and vulnerabilities, reduction of vulnerabilities, reduction of the link between vulnerabilities and consequences, and reduction of consequences associated with event sequences. All mitigation leaves residual risk that eventually has to be accepted, transfered, or avoided. The question is how much reduction is desired and how much is afforded by the mitigation strategy employed. [Drill-Down]
Interdependencies: The business function of information or technology depends on people which in turn depend on applications and applications infrastructures. These in turn depend on systems and system infrastrctures that depend on physical infrastructures. Ultimately these all depend on critical infrastructures. These interdependencies contribute to risk aggregation so that risk is aggregated to a larger extent as you move to more interdependencies.
Matching surety to risk: Generally, higher certainty implies greater costs. So the desire to reduce costs has to be balanced with the desire to reduce risks. As a rule of thumb, as risks increase the certainty with which they should be mitigated should also increase. Thus the notion that surety should match risk. Different risk mitigation approaches have different surety levels as indicated under the protective mechanisms area.
Risk management is the process used by enterprises to turn duty to protect into decisions of what to protect and to what extent they should be protected. It leads to the executive security management function that is tasked with carrying out the duty to protect the things that should be protected to the extent appropriate to the need as identified by risk management.