Navigating the Five Common Responses to Negative Risk

SCHAUMBURG, Ill.--(BUSINESS WIRE)--Risk managers deal with multiple levels of complexity in a constantly changing threat landscape. There are typically five common responses to risk: avoid, share/transfer, mitigate, accept and increase. ISACA’s new white paper, Optimizing Risk Response, confronts the inconsistencies, opportunities, obstacles, strengths and weaknesses inherent in risk response options to provide an understanding of how to manage risk in a way that aligns with enterprise goals and culture.

Often, managers employ a combination of response options rather than choosing just one. ISACA’s guidance details the potential benefits and common pitfalls of each response: for example, with risk sharing, moral hazard and inability of a third party to realistically accept risk are some of the common pitfalls, but a potential benefit is that the risk is quantified and spread around to various parties to limit losses.

Enterprises must carefully ensure the following when weighing risk response options:

• The strategy to respond to risk supports the enterprise’s goals, objectives and IT strategic alignment.
• The strategy to respond to risk does not contradict the enterprise’s value proposition.
• The strategy to respond to risk is aligned with the enterprise’s risk appetite and tolerance.
• The enterprise has the ability, risk maturity, and the appropriate people, processes and technology to execute the chosen risk response option.
• The enterprise has considered how each risk response option influences the components of risk (loss frequency, loss magnitude and risk velocity).

“Having an optimized risk response process is essential for helping enterprises manage risk efficiently,” says Paul Phillips, CISA, CISM, MBA, ISACA IT Risk Professional Practices Lead. “Each action an enterprise takes to respond to risk can have a ripple effect, influencing other systems and processes. It’s important to understand how the risk response option will influence risk and how the option is implemented to move toward an efficient and optimized risk management process.”

Professionals can also reinforce this knowledge by listening to the free ISACA webinar, Rethinking Risk Response, launching 29 July 2021 at 1 p.m. EDT/5 p.m. UTC. Tony Martin-Vegue, senior security risk engineer at Netflix, will share how to optimize the ways organizations respond to risk and move it from a basic risk mitigation process to a true strategic advantage.

Optimizing Risk Response is a complimentary download at www.isaca.org/bookstore/bookstore-wht_papers-digital/whporr. To register for the Rethinking Risk Response webinar, visit www.isaca.org/education/online-events/lms_w072921.

Other available risk resources from ISACA include Risk IT Framework, 2^nd Edition and COBIT Focus Area: Information and Technology Risk.

About ISACA

ISACA® (www.isaca.org) is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation.