How Should Your Organization Respond to Risk? A Look at Risk Treatment

A well-honed risk register doesn’t just manage risk; it becomes a strategic asset you can use to help save your company from cybersecurity risk. 

This blog post is contributed by GuidePoint Security, a FAIR Institute sponsor. Author Will Klotz is Senior Information Security Consultant at GuidePoint Security.

In an earlier blog post, we talked about the importance of ensuring your risk register remains a strategic asset through ongoing care and feeding (see Keeping Your Register Dynamic and Insightful).  Building your risk register, and identifying and tracking risks are only half the battle. Now, it’s time to talk about the part of the equation that drives real security and business value: Risk Treatment, or how your organization will respond to risk and ensure action is taken.

Accountability & Decision Thresholds

As with all risk and incident response strategies, a key step is clear ownership. In other words, define roles and responsibility. Without someone accountable, remediation will stall or even stop entirely. 

Once you have clearly defined roles, use your individual organization’s defined risk thresholds or risk appetite to determine which risk needs escalation, and when. 

Risk Tolerance-defined Risk Treatment 

Risk treatment outlines how you will handle a risk once it’s been identified and prioritized. Specifically, it defines tactics that support both planning and accountability. That treatment should be aligned to the pre-defined level of residual risk the organization is willing to carry. Here are some things to consider when composing your risk treatment plan to ensure your risk register is delivering timely risk mitigation, clearer accountability, and actionable reporting:

• What actions will be taken to address the risk? (aka Mitigation Strategy)
• Will your actions be to accept, remediate, transfer or avoid? (aka Risk Treatment Response Type)
  • Acceptance: accepting the residual risk when reduction is not feasible or cost-effective
  • Remediation: fixing the risk via controls, processes, etc.
  • Transfer: leveraging cyber insurance or outsourcing the issue
  • Avoidance: eliminating the risk source
• Who is doing what? (aka clearly defined remediation Actions and Owners)
• When should risk be mitigated or accepted? (aka Due Date / Target Completion)
• What remains after treatment, so the organization knows what exposure it still carries? (aka Residual Risk)

Once all of that happens, governance structures (steering committees, risk councils) should review risks, especially those outside of tolerance, or where treatment has been delayed.  Risk treatment planning is an important step in maturing your risk register.

Measuring Treatment Success

Tracking treatment is not just about “checking the box;” it’s about answering “did it work?” and “did the risk meaningfully drop?” It’s also about continually revising your risk register and ensuring that it still meets your organizational needs and risk priorities. 

For a deeper dive into structuring risk treatment plans, read Modernize Your Risk Register: How to Build a Scalable, Decision-ready Program. Download the whitepaper here.