Risk management transforms duty to protect into what
to protect, selects between risk acceptance, transfer, avoidance, and
mitigation, and for risk mitigation approaches, attempts to match surety
of mitigation with desired risk reduction.
Risks are generally formed from the combination of
threats, vulnerabilities, and consequences. Threats, including
nature and accidents as well as individual actors and groups, possibly
acting in concert, exploit sequences of vulnerabilities to induce
Risk evaluation: Risks have to be
identified and evaluated in order to be managed. The objective of risk
evaluation is to identify event sequences with potentially serious
negative consequences based on the business model.
Consequences: These event sequences are
identified and rated by consequence, typically into low, medium, and
high, or by other means. Low consequence is considered typical of
business risks such as slip and fall accidents, and similar event
sequences that are readily insurable. Medium risks tend to have serious
business impact and include event sequences leading to public relations
problems, loss of substantial amounts of trust or money, inability to
perform on select important contracts, and so forth. High consequences
tend to involve loss of life, great harm to the environment, collapse of
the business, and/or jail time to executives.
Threats: For event sequences involving
medium or high consequences, threats are assessed with increasing
attention and detail for higher consequences. As threats are
identified, their capabilities and intents are taken into consideration
in assessing the threats. [Drill-Down]
Vulnerabilities: For systems with
identified high or medium consequences and whose threats have been
assessed as having the capabilities and intents to induce those
consequences, vulnerability analysis and mitigation is considered.
Risk Treatment: Risk treatment is the
process by which risks that are worthy of attention are managed and
risks not worthy of consideration are accepted. A risk treatment plan
should be identified for all risks identified.
Risk acceptance: Risk acceptance involves
a decision by management to accept a given risk without further
mitigation or transfer, for a period of time. This happens in two
classes of circumstances. For risks that are too low to bother
protecting against or for which insurance and due diligence are
adequate, risk is accepted. For risks that are to be mitigated but
where mitigation cannot be done instantaneously or for which rapid
mitigation is too expensive to warrant, risks are accepted for periods
during which mitigation is undertaken.
Risk avoidance: Risk avoidance is a
business strategy in which certain classes of activities or business
processes are not undertaken because the risks are too high to justify
the return on investment. A typical example is a decision about the
maximum value to be placed in a vault, at a site, or on a truck. This
strategy avoids the aggregation of risks associated with placing
excessive value in one place. Other similar avoidance strategies such
as not opening offices in war zones or not doing business in certain
localities are commonplace in business.
Risk transfer: Risk transfer for low
consequences is usually affordable and reasonable if some level of
reasonable and prudent controls are in place. This meets due diligence
standards for low risk systems. Risk transfer for medium and high
consequences is rare, expensive, and only justified in cases where the
worst case loss is not sustainable and an adequate outside insurance
capacity is willing to take on the risk. This is a strategy that loses
in the long run for medium and high risks.
Risk mitigation: Risk mitigation seeks to
reduce the residual risk by using safeguards to eliminate or reduce the
likelihood of event sequences that can cause serious negative
consequences. This involves reduction of threats, reduction of the link
between threats and vulnerabilities, reduction of vulnerabilities,
reduction of the link between vulnerabilities and consequences, and
reduction of consequences associated with event sequences. All
mitigation leaves residual risk that eventually has to be accepted,
transfered, or avoided. The question is how much reduction is desired
and how much is afforded by the mitigation strategy employed.
Interdependencies: The business function of information or
technology depends on people which in turn depend on applications and
applications infrastructures. These in turn depend on systems and
system infrastrctures that depend on physical infrastructures.
Ultimately these all depend on critical infrastructures. These
interdependencies contribute to risk aggregation so that risk is
aggregated to a larger extent as you move to more interdependencies.
Matching surety to risk: Generally, higher
certainty implies greater costs. So the desire to reduce costs has to
be balanced with the desire to reduce risks. As a rule of thumb, as
risks increase the certainty with which they should be mitigated should
also increase. Thus the notion that surety should match risk.
Different risk mitigation approaches have different surety levels as
indicated under the protective mechanisms area.
Risk management is the process used by enterprises to
turn duty to protect into decisions of what to protect and to what
extent they should be protected. It leads to the executive security
management function that is tasked with carrying out the duty to protect
the things that should be protected to the extent appropriate to the
need as identified by risk management.