Risk Management Strategies in Organizations

Key Strategies for Dealing with Risk

1. Risk Transfer

• Definition: Moving the risk under the control of a different party.
• Example: Purchasing cyber security insurance.

2. Risk Acceptance

• Definition: The organization decides to accept the risk.
• Common Practice: Often the most common course of action.
• Exemptions:
  • Sometimes an organization exempts policies when risk is accepted.
  • Example: A manufacturing device using Windows OS not supporting updates may be exempted from patching policies if it's not connected to the network.

3. Creating Exceptions

• Definition: Accepting risk but allowing exceptions to existing policies.
• Example: Patches crashing critical software may lead to exceptions allowing delayed updates.

4. Risk Avoidance

• Definition: Completely removing a risk so no additional management is required.

5. Risk Mitigation

• Definition: Reducing the impact of a risk.
• Example: Investing in a Next Generation Firewall to handle internet-related risks.

Tracking and Reporting Risks

Risk Reporting

• Purpose: To track tens or hundreds of risks.
• Components:
  • Lists all risks being tracked.
  • Provides a description and handling method for each risk.
• Users: Commonly referenced by upper management for business decision-making.
• Updates: Constantly updated to include critical and emerging risks.
• Importance: Helps management make informed business decisions regarding purchases and risk handling.