Professional Documents
Culture Documents
CONTENTS
4 Introduction
5 Optimizing Risk Response—Risk
Management vs. Business Strategy
5 Current Thinking on Risk Response
7 Defining and Calculating Risk
7 / Positive Risk
8 Response Options Influence Risk
9 Allowing Risk Appetite to Guide Decision
Making
9 / Managing Risk on the Loss
Exceedance Curve
11 Making the Most of Risk Mitigation
11 / Ascertaining the Cost of Response
13 Optimizing Risk Sharing
13 / Moral Hazard
14 / Inability of a Third Party to
Realistically Accept Risk
15 / The Misconception That All Forms of
Loss Are Covered
15 / Gap Analysis on Risk Sharing
16 Risk Acceptance
17 Beware of Secondary Risk
17 Increase Risk—A Viable Option
19 / Another Form of Risk Increase:
Recipient of Risk Sharing
19 Conclusion
20 Acknowledgments
ABSTRACT
This white paper provides an overview of options for optimizing risk management in the
enterprise, based on current frameworks in widespread use and is intended for use by
enterprise decision makers and risk managers. It addresses the five common responses
to negative risk: avoid, share/transfer, mitigate, accept and increase. Examples illustrate
the potential benefits and common pitfalls associated with each response. This paper
emphasizes the complexity of risk decision making in a constantly changing threat
landscape. Further, it underscores the ultimate purpose of risk management, which is to
achieve enterprise objectives.
Introduction
Responding to risk is a part of daily life, whether using a In other words, risk response is the formal process an
formalized and structured risk management framework or enterprise adopts to decide what to do with risk after it is
informal mental models. Think about the choices drivers identified and assessed. The previous definition, however,
make every time they get into a car and implement does not completely describe the complexity of the
various strategies to respond to risk related to driving. The problem. Rather than choosing one response option, risk
dangers of driving a vehicle are well-known, and drivers managers usually employ a combination of options.
are willing to accept some risk to meet an objective, such Achieving the right balance among options can be a
as going to work. Some risk can be mitigated by wearing a challenge for some risk managers as each option has
seat belt, driving a car with enhanced safety features, and pros, cons, efficiencies, inefficiencies, unintended
engaging in defensive driving. A portion of the driving risk consequences and costs—both tangible and intangible.
typically is transferred to a third party via automobile Complicating matters, the topic of risk response is not
insurance. To complicate matters, everyone is willing to always consistent across major frameworks and
take on a different level of risk, so the manner of driving, prevailing literature.
level of insurance, and car safety features employed vary.
Achieving the right balance among options can be a
Today’s risk managers face similar issues, but with challenge for some risk managers as each option has
multiple layers of complexity. Their role is to ensure that pros, cons, efficiencies, inefficiencies, unintended
consequences and costs—both tangible and intangible.
risk-taking and risk response are aligned with strategic
objectives. In a rapidly evolving technology, regulatory and This white paper is not a summary of risk response
threat landscape, the task of identifying the most efficient options and definitions. Instead, the goal of this white
course of action for resource expenditure can be mind- paper is to confront the inconsistencies, opportunities,
boggling. Formally, this process is called “risk response.” obstacles, strengths and weaknesses inherent in risk
The following four dispositions help enterprises manage response options, providing readers with an
risk efficiently, focusing on risk with the greatest potential understanding of how to manage risk in a way that aligns
impact on organizational objectives should the risk with enterprise goals and risk culture.
materialize:
Through this understanding, risk managers can move
• Risk avoidance
beyond the Risk IT Framework definition. There is more to
• Risk mitigation
risk response than simply ensuring that risk is within the
• Risk sharing or transfer
enterprise’s appetite or moving reds (severe) to yellow
• Risk acceptance
(moderate).2 Successful enterprise decision making means
2
The purpose of risk response is to bring risk in line with risk is holistically tied to the execution of strategic goals.
defined risk appetite in the wake of risk analysis. A When this connection is achieved, the purpose of risk
response needs to be defined so that future residual risk management moves beyond reducing risk and becomes
(current risk with the risk response defined and part of the efficient allocation of enterprise resources.
implemented) falls within risk appetite limits as much as Optimizing resources often requires implementing a
possible (usually depending on budgets available). 1 1
combination of choices that are the result of careful analysis.
1
1
ISACA, Risk IT Framework, 2nd Edition, USA, 2020, www.isaca.org/bookstore/bookstore-risk-print/ritf2
2
2
Risk is often noted using a stoplight color scheme where red indicates a severe or major risk, yellow indicates a moderate risk and green indicates an
acceptable or inconsequential risk.
response option can lead to a change in risk (usually • The cost and efficiency of the response is commensurate with
lower, but that is not always the case). There are many the level of risk reduction.
considerations from both a risk management and It is essential to set optimization goals aligned with the
business strategy perspective. Enterprises must carefully enterprise’s risk appetite when determining how to
ensure the following when weighing risk response respond to risk. For example, an enterprise may choose to
options: optimize security, to reduce end-user friction, to ensure
• The strategy to respond to risk supports the enterprise’s goals, the efficient allocation of resources (e.g., time, people,
objectives and IT strategic alignment. money), to focus on safety, to address regulatory
• The strategy to respond to risk does not contradict the concerns, or a combination of the above.
enterprise’s value proposition.
Some enterprises simply set the optimization goals to
• The strategy to respond to risk is aligned with the enterprise’s
always mitigate (e.g., move reds to yellow and yellows to
risk appetite and tolerance.
green within a specified time frame). Enterprises will find
• The enterprise has the ability, risk maturity, and the appropriate
that they can unlock a competitive advantage if they
people, processes and technology to execute the chosen risk
progress beyond mitigation as the default response and
response option.
create a process in which each risk is evaluated, weighed
• The enterprise has considered how each risk response option
in terms of pros and cons, and considered as a means to
influences the components of risk (loss frequency, loss
execute the enterprise’s value proposition.
magnitude and risk velocity).
risk-management framework, spanning various disciplines Commission (COSO), “Enterprise Risk Management 4—
operational, and information security risk. • International Organization for Standardization (ISO®), ISO
3
3
ISACA, COBIT Focus Area: Information and Technology Risk, USA, 2021, www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19irfa
4
4
Op cit ISACA, Risk IT Framework, 2nd Edition
5
5
Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Enterprise Risk Management: Applying enterprise risk management to
environmental, social and governance-related risks,” October 2018, www.coso.org/Documents/COSO-WBCSD-ESGERM-Guidance-Full.pdf
6
6
International Organization for Standardization (ISO®), ISO 31000:2018 Risk management – Guidelines, February 2018,
www.iso.org/standard/65694.html
7
7
ISO, ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management, July 2018,
www.iso.org/standard/75281.html
• National Institute of Standards and Technology (NIST), Special • Mitigate—Risk is reduced by performing activities that reduce
Publication 800-39, “Managing Information Security Risk: either the frequency of events or the probable loss. Activities
• Project Management Institute (PMI), A Guide to the Project redesign of processes. Mitigation activities also include
• Avoid—The enterprise makes changes so that the loss event Management Body of Knowledge” as an option in an
does not occur; risk is eliminated. Avoiding a risk also means established framework.
abandoning any possible opportunities associated with the Figure 1 highlights the differences among major
activity. frameworks.
• Share/transfer—Risk is either partially shifted (shared) or
8
8
National Institute of Standards and Technology (NIST), “Managing Information Security Risk: Organization, Mission, and Information System View,”
March 2011, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
9
9
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), USA, 2017
10
10
Vose, D.; Risk Analysis: A Quantitative Guide, Wiley, USA, 2008
risk concepts is an open problem in the field. It is critical are two schools of thought: The first maintains that risk is
that risk managers set and widely socialize these only negative—that is, its potential is limited to adverse
definitions as a first step in building a program. Adopting events. The second way of thinking is that risk can be
definitions from a major framework, as opposed to positive or negative—both opportunities and adverse
creating one’s own, will ease confusion and help guard events can result from risk.
against contradictory concepts creeping into an
The root cause of the disagreement goes to the very
enterprise’s program.
definition of risk itself. Most frameworks, books on the
Figure 2 shows the top-level, basic risk equation from the subject, and risk managers adopt the view that risk is the
Open FAIR (Factor Analysis of Information Risk) 12 12
adverse consequence of an event. The Society for Risk
standard. “Loss event frequency,” known as “probability” or Analysis (SRA) defines risk as “…a future activity…for
“chance” in other models, is the frequency at which an example, the operation of a system,” and frames risk “in
11
11
Robinson, C.; “Why CVSS does not equal risk: How to think about risk in your environment,” Red Hat Blog, 10 July 2019, www.redhat.com/en/blog/why-
cvss-does-not-equal-risk-how-think-about-risk-your-environment
12
12
The Open Group Library, “Open FAIR™ Standards,” https://publications.opengroup.org/standards/open-fair-standards
13
13
Freund, J.; “Good Risk or Bad Risk?,” @ISACA, 8 June 2020, www.isaca.org/resources/news-and-trends/newsletters/atisaca/2020/volume-12/good-risk-
or-bad-risk
relation to the consequences (effects, implications) of this by nature and it requires risk management to avoid
activity with respect to something that humans value. The exposing our organizations to unnecessary harm.”16 16
14
14
Society for Risk Analysis (SRA), “Society for Risk Analysis Glossary,” August 2018, www.sra.org/wp-content/uploads/2020/04/SRA-Glossary-FINAL.pdf
15
15
Jones, J.; “Clarifying ‘Upside’ and ‘Positive’ Risk,” FAIR Institute, 30 October 2018, https://www.fairinstitute.org/blog/clarifying-upside-and-positive-risk
16
16
Op cit Freund, “Good Risk or Bad Risk?”
17
17
Op cit ISO, ISO 31000:2018 Risk management – Guidelines
an enterprise can tolerate without risking its continued Figure 4 shows an enterprise’s risk tolerance, with an
existence.18 18
example risk graphed to a loss exceedance curve. This
The COSO and COBIT Focus Area: Information and enterprise is willing to take on more probable risk at the
Technology Risk frameworks guide the risk manager to lower dollar amounts to achieve its objectives, but it
use risk appetite and tolerance as the starting point when becomes risk-averse at higher ranges. Because risk-taking
below tolerance, the enterprise may choose to accept the focus of risk management should not be on mitigation,
risk, focusing resources on risk that exceeds the contrary to typical heat maps.
established thresholds. If the assessed risk exceeds The focus of risk management—and by extension, risk
tolerance, the enterprise should choose a method that response—should be to help the enterprise use a data-
reduces it. driven approach that aligns with its objectives both to take
and mitigate risk. A recent ISACA Journal article
If the risk is well below tolerance, the enterprise may elaborates on this point: “The end state of the (response)
choose to accept the risk, focusing resources on risk that
exceeds the established thresholds. If the assessed risk activity is risk integrated with the corporate strategy and
exceeds tolerance, the enterprise should choose a method business management weighing risk/return implications
that reduces it.
and potential risk trade-offs in their strategic and
After reducing risk to a level that is within tolerance, the operational decisions.”21 21
18
18
Op cit ISACA, Risk IT Framework, 2nd Edition
19
19
Op cit Committee of Sponsoring Organizations of the Treadway Commission (COSO)
20
20
Op cit ISACA, COBIT Focus Area: Information and Technology Risk
21
21
Vohradsky, D.; “A Model and Best Practices for Risk Transformation,” ISACA® Journal, vol. 3, May 2019, www.isaca.org/resources/isaca-
journal/issues/2019/volume-3/a-model-and-best-practices-for-risk-transformation
100%
90%
Probability of exceeding loss
80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000
Loss exceeded
Loss exceedance tolerance Risk #1
Another advantage of the loss exceedance curve is that it example $25 million or more at 10%. Risk seekers have a
gives decision makers the ability to decide where on the higher tolerance for risk and are willing to accept losses
curve they want to manage risk. For example, a risk- that are below $25 million, and only mitigate extreme
averse enterprise may choose to focus response efforts losses.
on risk with a 50% probability of exceeding $10 million; an
Plotted on a heat map, Risk #1 in figure 4 probably would
enterprise that is risk-seeking and has capital reserves to
end up in the red quadrant because it is possible to have
cover losses may manage risk with a 10% probability of
$30 million in losses—the upper end of the loss range.
exceeding $25 million.
Heat maps show a single outcome. The loss exceedance
curve shows that risk can have a range of outcomes. A
Another advantage of the loss exceedance curve is that it
gives decision makers the ability to decide where on the data breach is still a data breach, regardless of whether
curve they want to manage risk. 500 records or 500 million records are compromised, but
Risk adverse organizations will want to respond to a wide losses to the enterprise will significantly differ. Giving
range of possible outcomes; therefore, they could manage leadership insight and transparency into the full range of
to 50% probability. They will invest in mitigation efforts to risk is a significant advantage of using a loss exceedance
reduce the chances of losses equaling or exceeding $10 curve over using heat maps.22 22
million because they can’t or won’t tolerate the loss. Risk Giving leadership insight and transparency into the full
seeking orgs will want to hold on to that capital for other range of risk is a significant advantage of using a loss
exceedance curve over using heat maps.
projects and will only manage worst-case scenarios - for
22
22
More information on creating loss exceedance curves can be found in Hubbard, D.; R. Seiersen; How to Measure Anything in Cybersecurity Risk, Wiley,
USA, 2016
23
23
ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, www.isaca.org/bookstore/bookstore-
cobit_19-digital/wcb19dgd
or current risk, and each subsequent analysis would under consideration. The first is implementing data loss
measure proposed mitigation activities, providing valuable prevention (DLP): a costly but effective suite of security
data on where to invest. controls that actively scan, detect and block data
exfiltration, represented by the blue curve.
Example
The second proposal is a much less expensive option:
A US-based pharmaceutical company is worried about Over time, implement robust employee vetting,
intellectual property (IP) theft. There have been several background checks, regular credit checks and compliance
incidents in the past of both accidental and intentional training, represented by the green curve.
disclosure of confidential company information. Several
The risk analysis and loss exceedance curve provide the
recent risk and control analyses have revealed an
following information:
inadequate control environment. Furthermore, IP theft
is above the established appetite for risk, so leadership • Enterprise’s current risk tolerance
wants this mitigated urgently, as long as the cost is • Current or baseline risk from intellectual property theft
commensurate with the expected reduction in risk. • Projected risk reduction from two different risk response
proposals
The loss exceedance curve in figure 5 shows how the
A quantitative risk analysis combined with the projected
example company has run several analyses, intending to
costs of both projects gives leadership a much more
provide information to help make informed security
accurate picture of total return on investment than
investment decisions. There are two security controls
qualitative methods do.
100%
90%
Probability of exceeding loss
80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $20,000,000 $40,000,000 $60,000,000 $80,000,000 $100,000,000
Loss exceeded
Loss exceedance tolerance Implement DLP Increased employee checks and training Current risk
24
24
Freund, J.; “Not All Risk Treatment Options Are the Same,” @ISACA, 15 March 2021, www.isaca.org/resources/news-and-
trends/newsletters/atisaca/2021/volume-6/not-all-risk-treatment-options-are-the-same
25
25
Rowell, D.; L. Connelly; “A History of the Term ‘Moral Hazard,’” Journal of Risk and Insurance, 8 February 2012, https://doi.org/10.1111/j.1539-
6975.2011.01448.x
hazard. The more rigor in such a program (e.g., risk A recent ISACA article elaborates on this point in
quantification), the more unintended negative examining outsourcing as a method of risk
consequences can be reduced.
transference.29 Companies can agree to anything on
29
26
26
Gladwell, M.; What the Dog Saw, Little, Brown and Company, USA, 2009
27
27
Berger, L.; J. Hershey; “Moral Hazard, Risk Seeking, and Free Riding,” Journal of Risk and Uncertainty, October 1994,
https://ideas.repec.org/a/kap/jrisku/v9y1994i2p173-86.html
28
28
Op cit Vose
29
29
Bakshi, S.; “Is Outsourcing Truly Considered Risk Sharing?,” @ISACA, 12 May 2021, www.isaca.org/resources/news-and-
trends/newsletters/atisaca/2021/volume-12/is-outsourcing-truly-considered-risk-sharing
Forms of Loss Are Covered scenarios, performing a gap analysis of the forms of loss
that are covered and not covered, and using the results to
A common misconception when using risk transference
make resource allocation decisions.
as a reduction method is the perception that the policy
covers all forms of loss. For example, suppose an
Considering that insurance may not cover all areas of
enterprise’s cyberinsurance policy is for $50 million and loss, that it is purchased on aggregate risk instead of a
the forecast losses from a data breach are $50 million. In single scenario, and that it can lead to irrational decision
making, it is essential to carefully analyze the effect
this case, it does not follow that risk exposure is reduced
insurance has on risk exposure before making a purchase
to zero. Cyberinsurance—and all other insurance policies— and at regular intervals thereafter.
cover specific events and conditions. Understanding the
Performing a gap analysis of individual loss factors that
factors that comprise a loss event, identifying which ones
are being transferred and not transferred can illuminate
apply to particular risk scenarios, and subsequently
and inform whether an enterprise is making the right risk
pricing them is exceedingly hard for enterprises that use
response choice. Figure 6 shows Open FAIR’s common
qualitative risk methodologies. Those that use
forms of loss that can arise from an operational, security
quantitative models will have a much easier time
or enterprise risk incident.30 30
30
30
Suarez, T.; “A Crash Course on Capturing Loss Magnitude with the FAIR Model,” FAIR Institute Blog, 20 October 2017, www.fairinstitute.org/blog/a-crash-
course-on-capturing-loss-magnitude-with-the-fair-model
FIGURE 6: Risk Transfer/Sharing Gap Analysis Using Open FAIR’s 6 Forms of Loss
Risk Acceptance
Acceptance is a valid response when risk is below the Accepting risk can be a good option when the following
enterprise’s tolerance for risk, or when the cost of circumstances are present:
mitigating or transferring the risk outweighs the projected • A particular risk is below the enterprise’s appetite. Risk is
reduction in risk exposure. accepted and monitored to free up resources to respond to risk
that exceeds the appetite.
Some enterprises will accept risk and implement
• The cost of mitigating the risk is higher than a projected
monitoring (e.g., key risk indicators) to detect changes.
reduction in risk exposure.
Other risk can be accepted temporarily, buying time to
• A risk response would not measurably change the risk.
design countermeasures or free up capital to invest in
• Other business projects or initiatives need resourcing first.
mitigation projects. Some enterprises take the position
that all risk should be mitigated, as long as it is cost- In all cases, KRIs should be implemented to monitor the
effective. Regardless of the approach taken, it should be risk, threat landscape and control environment. KRIs will
consistent, aligned with the enterprise’s objectives and help management know if a previously accepted risk is
appetite for risk. rising, prompting action before the risk exceeds the
enterprise’s appetite.
Technically speaking, all risk response options except for
“avoid” involve some element of risk acceptance, as it is Another consideration is ensuring that the enterprise has
not possible to entirely mitigate or transfer all risk. Some enough capital reserves to cover all retained risk. Capital
risk will always be retained, even when risk is reduced or reserves can be viewed as an emergency fund—typically
shared with a third party. Risk portfolios must reflect the cash set aside for contingencies or to offset losses. A
retained risk. single risk probably would not need this kind of
consideration, especially if there is alignment with the risk short period. Implementing KRIs and ensuring sufficient
appetite. However, relevant risk should be considered in capital reserves are the best ways to optimize the “accept”
aggregate—especially if an event could occur within a risk response option.
not make economic sense. Mitigation should be reduced, helping leadership forecast how and where controls
removed or redesigned. contribute to risk reduction.
• User friction—User friction is “anything that prevents a user
Figure 7 shows a hypothetical example of a company’s
from accomplishing a goal in your product.”31 User friction can
31
100%
90%
Probability of exceeding loss
80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $20,000,000 $40,000,000 $60,000,000 $80,000,000 $100,000,000
Loss exceeded
Loss exceedance tolerance Current risk After control removal
31
31
Rekhi, S.; “The Hierarchy of User Friction,” Medium, 6 July 2017, https://medium.com/@sachinrekhi/the-hierarchy-of-user-friction-e99113b77d78
Another Form of Risk Increase: Third-party service providers can also fall into this
category; they can choose to take on risk by bringing on
Recipient of Risk Sharing more clients, increasing their risk exposure to
There is one more common form of choosing to increase cyberattacks. Assuming that the enterprise can cover the
risk, although enterprises that engage in it may not think exposure from a capital reserves standpoint and risk
of it this way. It occurs when an enterprise agrees to be models are adjusted as risk increases, this is just the price
the recipient of risk via sharing or transfer. of doing business.
Conclusion
Risk response is complex. Choosing and optimizing an increasing is missed because the last assessment is too
efficient response goes beyond picking “mitigate” as a old to inform decisions. Annual or semi-annual new and
default when a risk analysis is complete and is fraught emerging risk workshops with a diverse cross-section of
with additional problems like unintended consequences, subject-matter experts can lead to finding risk-register
inefficiencies and moral hazard. Intrepid risk managers blind spots. Risk workshops will help inform the
will always have their fingers on the pulse of an ever- management of risk overall, including response.
changing risk landscape. Threat actors change and evolve
The objective of risk response is to achieve enterprise
over time. Controls also evolve; evolving password and
goals through efficient risk management. The purpose is
authentication requirements are a good example. As
not risk mitigation. Optimized risk response may mean the
regulations, laws and legal requirements change, so do
strategic acceptance, transference or increase of risk if
the loss magnitude forecasts of risk analyses.
the analysis supports it.
Risk response should be active and continuous, not a
Risk quantification may be the risk manager’s single most
passive “set it and forget it” approach. Implementing key
effective tool in identifying and weighing the pros and
risk, performance and control indicators (KRI, KPI, KCI) to
cons of available options. Enterprises not currently using
serve as early warnings that risk changes may be on the
risk quantification should consider implementing it, at a
horizon is one way to be proactive. Another is to
minimum, to assist in making the most critical strategic
continuously reassess risk, even risk that is way below
risk decisions.
tolerance and has long been accepted. Leadership does
not want to be caught off guard if a risk that is suddenly
Acknowledgments
ISACA would like to acknowledge:
Asaf Weisberg
CISA, CISM, CGEIT, CRISC
Chief Executive Officer, introSight Ltd.,
Israel
Tracey Dedrick
ISACA Board Chair, 2020-2021
Former Chief Risk Officer, Hudson City
Bancorp, USA
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
Support: support.isaca.org
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.
Provide Feedback:
DISCLAIMER
www.isaca.org/optimizing-risk-
ISACA has designed and created Optimizing Risk Response (the “Work”) response
primarily as an educational resource for professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work Participate in the ISACA Online
should not be considered inclusive of all proper information, procedures and Forums:
tests or exclusive of other information, procedures and tests that are https://engage.isaca.org/onlineforums
reasonably directed to obtaining the same results. In determining the propriety Twitter:
www.twitter.com/ISACANews
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the LinkedIn:
www.linkedin.com/company/isaca
particular systems or information technology environment.
Facebook:
www.facebook.com/ISACAGlobal
RESERVATION OF RIGHTS
Instagram:
© 2021 ISACA. All rights reserved. www.instagram.com/isacanews/