Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

environmental control measures and management plans.

Decide on the combination of methods to be used for each risk. Each risk management decision should be recorded and approved by the appropriate level of management.

For example,

A risk (concerning the image of the organization should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for managing the risks.

A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.

The risk management concept is old but is still net very effectively measured. Example: An observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software.

6. Implementation

Follow all of the planned methods for mitigating the effect of the risks.

Purchase insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity’s goals, reduce others, and retain the rest.

7. Review and Evaluation of the Plan

Initial risk management plans will never be perfect.

Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are two primary reasons for this;

  1. To evaluate whether the previously selected security
    controls are still applicable and effective, and,
  2. To evaluate the possible risk level changes in the business
    environment. For example, information risks are a good example of the rapidly changing business environment.