Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

Enterprise Risk Management Control Cycle

Identification of Options | Development of Action Plan | Approval of Action Plan | Implementation of Action Plan | Identification of Residual Risks

According to its definition, Risk Treatment is the process of selecting and implementing of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization. At this level, security measurements are verbal descriptions of various security functions that are implemented technically (e.g. Software or Hardware components) or organizationally (e.g. established procedures).

Identification of Options

Having identified and evaluated the risks, the next step involves the identification of alternative appropriate actions for managing these risks, the evaluation and assessment of their results or impact and the specification and implementation of treatment plans.

Since identified risks may have varying impact on the organization, not all risks carry the prospect of loss or damage. Opportunities may also arise from the risk identification process, as types of risk with positive impact or outcomes are identified.

Management or treatment options for risks expected to have positive outcome include:

  • starting or continuing an activity likely to create or maintain this positive outcome;
  • modifying the likelihood of the risk, to increase possible beneficial outcomes;
  • trying to manipulate possible consequences, to increase the expected gains;
  • sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains;
  • retaining the residual risk.

Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:

  • to avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk;
  • to modify the likelihood of the risk trying to reduce or eliminate the likelihood of the negative outcomes;
  • to try modifying the consequences in a way that will reduce losses;
  • to share the risk with other parties facing the same risk (insurance arrangements and organizational structures such as partnerships and joint ventures can be used to spread responsibility and liability); (of course one should always keep in mind that if a risk is shared in whole or in part, the organization is acquiring a new risk, i.e. the risk that the organization to which the initial risk has been transferred may not manage this risk effectively.)
  • to retain the risk or its residual risks;