Optimizing Risk Response

Risk © 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)
2 OPTIMIZING RISK RESPONSE

CONTENTS

4 Introduction
5 Optimizing Risk Response—Risk
Management vs. Business Strategy
5 Current Thinking on Risk Response
7 Defining and Calculating Risk
7 / Positive Risk
8 Response Options Influence Risk
9 Allowing Risk Appetite to Guide Decision
Making
9 / Managing Risk on the Loss
Exceedance Curve
11 Making the Most of Risk Mitigation
11 / Ascertaining the Cost of Response
13 Optimizing Risk Sharing
13 / Moral Hazard
14 / Inability of a Third Party to
Realistically Accept Risk
15 / The Misconception That All Forms of
Loss Are Covered
15 / Gap Analysis on Risk Sharing
16 Risk Acceptance
17 Beware of Secondary Risk
17 Increase Risk—A Viable Option
19 / Another Form of Risk Increase:
Recipient of Risk Sharing
19 Conclusion
20 Acknowledgments

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

3 OPTIMIZING RISK RESPONSE

ABSTRACT
This white paper provides an overview of options for optimizing risk management in the
enterprise, based on current frameworks in widespread use and is intended for use by
enterprise decision makers and risk managers. It addresses the five common responses
to negative risk: avoid, share/transfer, mitigate, accept and increase. Examples illustrate
the potential benefits and common pitfalls associated with each response. This paper
emphasizes the complexity of risk decision making in a constantly changing threat
landscape. Further, it underscores the ultimate purpose of risk management, which is to
achieve enterprise objectives.

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 4 OPTIMIZING RISK RESPONSE
Introduction
Responding to risk is a part of daily life, whether using a
formalized and structured risk management framework or
informal mental models. Think about the choices drivers
make every time they get into a car and implement
various strategies to respond to risk related to driving. The
dangers of driving a vehicle are well-known, and drivers
are willing to accept some risk to meet an objective, such
as going to work. Some risk can be mitigated by wearing a
seat belt, driving a car with enhanced safety features, and
engaging in defensive driving. A portion of the driving risk
typically is transferred to a third party via automobile
insurance. To complicate matters, everyone is willing to
take on a different level of risk, so the manner of driving,
level of insurance, and car safety features employed vary.
Today’s risk managers face similar issues, but with
multiple layers of complexity. Their role is to ensure that
risk-taking and risk response are aligned with strategic
objectives. In a rapidly evolving technology, regulatory and
threat landscape, the task of identifying the most efficient
course of action for resource expenditure can be mind-
boggling. Formally, this process is called “risk response.”
The following four dispositions help enterprises manage
risk efficiently, focusing on risk with the greatest potential
impact on organizational objectives should the risk
materialize:
• Risk avoidance
• Risk mitigation
• Risk sharing or transfer
• Risk acceptance
The purpose of risk response is to bring risk in line with
defined risk appetite in the wake of risk analysis. A
response needs to be defined so that future residual risk
(current risk with the risk response defined and
implemented) falls within risk appetite limits as much as
possible (usually depending on budgets available). 1
1
1
ISACA, Risk IT Framework, 2nd Edition, USA, 2020, www.isaca.org/bookstore/bookstore-risk-print/ritf2
2
2
Risk is often noted using a stoplight color scheme where red indicates a severe or major risk, yellow indicates a moderate risk and green indicates an
acceptable or inconsequential risk.
© 2021 ISACA. All Rights Reserved.
Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)
In other words, risk response is the formal process an
enterprise adopts to decide what to do with risk after it is
identified and assessed. The previous definition, however,
does not completely describe the complexity of the
problem. Rather than choosing one response option, risk
managers usually employ a combination of options.
Achieving the right balance among options can be a
challenge for some risk managers as each option has
pros, cons, efficiencies, inefficiencies, unintended
consequences and costs—both tangible and intangible.
Complicating matters, the topic of risk response is not
always consistent across major frameworks and
prevailing literature.
Achieving the right balance among options can be a
challenge for some risk managers as each option has
pros, cons, efficiencies, inefficiencies, unintended
consequences and costs—both tangible and intangible.
This white paper is not a summary of risk response
options and definitions. Instead, the goal of this white
paper is to confront the inconsistencies, opportunities,
obstacles, strengths and weaknesses inherent in risk
response options, providing readers with an
understanding of how to manage risk in a way that aligns
with enterprise goals and risk culture.
Through this understanding, risk managers can move
beyond the Risk IT Framework definition. There is more to
risk response than simply ensuring that risk is within the
enterprise’s appetite or moving reds (severe) to yellow
(moderate).2 Successful enterprise decision making means
2
risk is holistically tied to the execution of strategic goals.
When this connection is achieved, the purpose of risk
management moves beyond reducing risk and becomes
part of the efficient allocation of enterprise resources.
Optimizing resources often requires implementing a
1
combination of choices that are the result of careful analysis.
 5 OPTIMIZING RISK RESPONSE

Optimizing Risk Response—Risk

Management vs. Business Strategy
Risk response is not performed in a vacuum. Each risk • The pros and cons of each option have been evaluated.

response option can lead to a change in risk (usually • The cost and efficiency of the response is commensurate with

lower, but that is not always the case). There are many the level of risk reduction.

considerations from both a risk management and
business strategy perspective. Enterprises must carefully
ensure the following when weighing risk response
options:
• The strategy to respond to risk supports the enterprise’s goals,
objectives and IT strategic alignment.
• The strategy to respond to risk does not contradict the
enterprise’s value proposition.
• The strategy to respond to risk is aligned with the enterprise’s
risk appetite and tolerance.
• The enterprise has the ability, risk maturity, and the appropriate
people, processes and technology to execute the chosen risk
response option.
• The enterprise has considered how each risk response option
influences the components of risk (loss frequency, loss
magnitude and risk velocity).
It is essential to set optimization goals aligned with the
enterprise’s risk appetite when determining how to
respond to risk. For example, an enterprise may choose to
optimize security, to reduce end-user friction, to ensure
the efficient allocation of resources (e.g., time, people,
money), to focus on safety, to address regulatory
concerns, or a combination of the above.
Some enterprises simply set the optimization goals to
always mitigate (e.g., move reds to yellow and yellows to
green within a specified time frame). Enterprises will find
that they can unlock a competitive advantage if they
progress beyond mitigation as the default response and
create a process in which each risk is evaluated, weighed
in terms of pros and cons, and considered as a means to
execute the enterprise’s value proposition.

Current Thinking on Risk Response

The subject of risk response is present in virtually every • Committee of Sponsoring Organizations of the Treadway

risk-management framework, spanning various disciplines Commission (COSO), “Enterprise Risk Management 4—

from financial to project management, enterprise, Integrated Framework”5 5

operational, and information security risk. • International Organization for Standardization (ISO®), ISO

31000:2018 Risk management – Guidelines6 and ISO/IEC

The most common frameworks include:
6

27005:2018 Information technology – Security techniques –

• ISACA, COBIT Focus Area: Information and Technology Risk3 3

Information security risk management7 7

and Risk IT Framework, 2nd Edition4 4

3
3
ISACA, COBIT Focus Area: Information and Technology Risk, USA, 2021, www.isaca.org/bookstore/bookstore-cobit_19-digital/wcb19irfa
4
4
Op cit ISACA, Risk IT Framework, 2nd Edition
5
5
Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Enterprise Risk Management: Applying enterprise risk management to
environmental, social and governance-related risks,” October 2018, www.coso.org/Documents/COSO-WBCSD-ESGERM-Guidance-Full.pdf
6
6
International Organization for Standardization (ISO®), ISO 31000:2018 Risk management – Guidelines, February 2018,
www.iso.org/standard/65694.html
7
7
ISO, ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management, July 2018,
www.iso.org/standard/75281.html

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 6 OPTIMIZING RISK RESPONSE

• National Institute of Standards and Technology (NIST), Special • Mitigate—Risk is reduced by performing activities that reduce

Publication 800-39, “Managing Information Security Risk: either the frequency of events or the probable loss. Activities

Organization, Mission, and Information System View”8 8

include the implementation of compensating controls or the

• Project Management Institute (PMI), A Guide to the Project redesign of processes. Mitigation activities also include

Management Body of Knowledge9 9

measures to limit the loss after an event occurs, such as

business continuity and contingency planning, preparedness,

The common assertion of the above frameworks: The
and setting up retainer agreements with external firms that
goal of risk response is creating and sustaining a
provide additional response capabilities.
formalized process in which all identified risk is
• Accept—Essentially, this option is to do nothing. The enterprise
considered in the context of business decisions and
retains the risk.
enterprise strategic objectives, aligned to leadership’s
• Increase—The strategic removal of other risk response options
appetite for loss, and addressed in the most efficient
(mitigate, transfer) with the goal of increasing one’s risk
manner possible. Across all frameworks, there are four
exposure. Although the option to increase risk is present only in
general themes for risk response: avoid, accept,
the “ISO 31000” framework, it is covered in many books,
share/transfer and mitigate. ISO 31000 includes the
including David Vose’s Risk Analysis: A Quantitative Guide,10
concept of increasing risk as a viable option, while the
10

where it is listed as a viable way to respond to risk.

PMI’s Project Management Body of Knowledge diverges
• Exploit—If the risk is determined to be positive and below the
from the group and includes the concept of positive risk.
established thresholds (e.g., appetite), management can take
The framework names may vary, but the definitions and action to exploit the positive aspects of risk. The concept of
overall intentions are the same. positive risk is not new, but it is unique to PMI’s “Project

• Avoid—The enterprise makes changes so that the loss event Management Body of Knowledge” as an option in an

does not occur; risk is eliminated. Avoiding a risk also means established framework.

abandoning any possible opportunities associated with the Figure 1 highlights the differences among major
activity. frameworks.
• Share/transfer—Risk is either partially shifted (shared) or

completely shifted (transferred) to a third party.

FIGURE 1: Survey of Risk Response Options in Common Risk Frameworks

ISACA Risk IT COSO ERM

ISO 27005 ISO 31000 NIST 800-39 PMI PMBoK
Framework Framework
Name Risk Response Risk Response Risk Treatment Risk Treatment Risk Response Risk Response
Number of 4 5 4 7 4 5
Options
Theme: Avoid Avoid Avoid Avoid Avoid Avoid
Avoid Remove risk source
Theme: Accept Accept Retain Retain Accept Accept
Accept or
Retain
Theme: Share/Transfer Share Share Share Share/Transfer Transfer
Share/Trans
fer
Theme: Mitigate Reduce Modify Change likelihood Mitigate Mitigate
Mitigate
Change
consequences

8
8
National Institute of Standards and Technology (NIST), “Managing Information Security Risk: Organization, Mission, and Information System View,”
March 2011, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
9
9
Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK® Guide), USA, 2017
10
10
Vose, D.; Risk Analysis: A Quantitative Guide, Wiley, USA, 2008

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 7 OPTIMIZING RISK RESPONSE

FIGURE 1: Survey of Risk Response Options in Common Risk Frameworks (cont.)

ISACA Risk IT COSO ERM

ISO 27005 ISO 31000 NIST 800-39 PMI PMBoK
Framework Framework
Theme: — — — Increase — —
Increase
Theme: — — — — — Exploit
Positive Risk

Defining and Calculating Risk

Every action an enterprise takes to respond to risk can
have a ripple effect, influencing not only risk but other
systems and processes. Understanding how each
response option influences risk—and more important, how
the option is implemented—is the next logical step toward
gaining efficiency and optimization in the risk
management process.
adverse event is expected to occur. “Loss magnitude,” also
known as “impact” or just “magnitude,” is the probable
cost of the adverse event if it occurs. Note that “loss” is
used in both terms; Open FAIR does not use the concept
of positive risk.
FIGURE 2: Open FAIR’s Risk Equation

In statistics, probability theory, decision science, actuarial Risk

science and many other fields, the basic risk equation is
well established: It is a calculation of the probability that
an event will occur and the magnitude of losses if it does.
Some frameworks or models, especially in the field of Loss Event Frequency Loss Magnitude
information security, have rewritten the basic risk
Source: The Open Source, “Risk Taxonomy (O-RT), Version 3.0, 18 Nov. 2020, figure 3,
equation. One such example is the Common Vulnerability https://publications.opengroup.org/standards/open-fair-standards/c20b

Scoring System (CVSS),11 which uses a calculation other

11

than probability and asset value to determine magnitude.

Positive Risk
With various definitions of risk and varying methods of The concept of “positive risk” is controversial and is the
calculating risk, the standardization of definitions of core subject of debate13 in the risk management field. There
13

risk concepts is an open problem in the field. It is critical are two schools of thought: The first maintains that risk is
that risk managers set and widely socialize these only negative—that is, its potential is limited to adverse
definitions as a first step in building a program. Adopting events. The second way of thinking is that risk can be
definitions from a major framework, as opposed to positive or negative—both opportunities and adverse
creating one’s own, will ease confusion and help guard events can result from risk.
against contradictory concepts creeping into an
The root cause of the disagreement goes to the very
enterprise’s program.
definition of risk itself. Most frameworks, books on the
Figure 2 shows the top-level, basic risk equation from the subject, and risk managers adopt the view that risk is the
Open FAIR (Factor Analysis of Information Risk) 12 12
adverse consequence of an event. The Society for Risk
standard. “Loss event frequency,” known as “probability” or Analysis (SRA) defines risk as “…a future activity…for
“chance” in other models, is the frequency at which an example, the operation of a system,” and frames risk “in
11
11
Robinson, C.; “Why CVSS does not equal risk: How to think about risk in your environment,” Red Hat Blog, 10 July 2019, www.redhat.com/en/blog/why-
cvss-does-not-equal-risk-how-think-about-risk-your-environment
12
12
The Open Group Library, “Open FAIR™ Standards,” https://publications.opengroup.org/standards/open-fair-standards
13
13
Freund, J.; “Good Risk or Bad Risk?,” @ISACA, 8 June 2020, www.isaca.org/resources/news-and-trends/newsletters/atisaca/2020/volume-12/good-risk-
or-bad-risk

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 8 OPTIMIZING RISK RESPONSE

relation to the consequences (effects, implications) of this by nature and it requires risk management to avoid
activity with respect to something that humans value. The exposing our organizations to unnecessary harm.”16 16

consequences are often seen in relation to some

The concept of positive risk “tries to fundamentally
reference values (planned values, objectives, etc.), and the redefine risk by adding the potential for gains to the risk
focus is often on negative, undesirable consequences. equation” and “complicates an already challenging
landscape and is unnecessary.”
There is always at least one outcome that is considered
as negative or undesirable.”14 14
As mentioned previously, PMI’s concept of “positive risk” is
not new, but it is rare for a risk framework to include it. As
It is worth noting several risk experts’ comments on this
risk managers seek to optimize the ways their enterprises
issue. The concept of positive risk “tries to fundamentally
respond to risk, they must first set clear and concise
redefine risk by adding the potential for gains to the risk
definitions for foundational terms, including the definition
equation” and “complicates an already challenging
of risk itself. This paper uses the definition of risk as
landscape and is unnecessary.”15 “Risk is a negative thing
including negative events only.
15

How Response Options Influence Risk

With the definition of risk and how it is calculated
established, an examination of how response options
influence the frequency and magnitude of adverse events
is in order. Some options affect both, as shown in figure 3.
Making the most of risk response efforts requires a firm
understanding of how each action influences risk. For
example, a common misconception exists that a $50
million cyberinsurance policy purchased to cover $50
million in risk costs eliminates all risk. That is not the
case. The loss event still occurs for the enterprise; it is just
(presumably) getting reimbursed for covered losses.
Making the distinction between activities that influence
frequency and those that affect magnitude is so essential
that ISO 31000 splits them into separate risk response
categories.17 17

FIGURE 3: How Risk Response Options Influence Risk

Option Influence on Risk

Avoid By removing the possibility of the loss event occurring entirely, avoid influences both the frequency and magnitude of an
event.
Accept All risk is retained; therefore, both the frequency and magnitude of a loss event are unchanged.
Share/Transfer Sharing or transferring risk does not influence the probability of an event. The event still happens. Sharing or transferring
risk spreads the cost of an event—loss magnitude—among multiple parties.
Mitigate Depending on the mitigation controls selected, both the frequency and magnitude sides of the risk equation can be
influenced. For example, preventive controls such as fences and locks, multi-factor authentication, and antivirus software
can directly or indirectly reduce the frequency of loss events. Detective controls such as logging, incident response, and
surveillance cameras can catch an event in progress, allowing early intervention, which can reduce the magnitude of an
event.
Increase Depending on the type of controls that are reduced, or other action that is taken, both the frequency and magnitude of a
loss event are increased.

14
14
Society for Risk Analysis (SRA), “Society for Risk Analysis Glossary,” August 2018, www.sra.org/wp-content/uploads/2020/04/SRA-Glossary-FINAL.pdf
15
15
Jones, J.; “Clarifying ‘Upside’ and ‘Positive’ Risk,” FAIR Institute, 30 October 2018, https://www.fairinstitute.org/blog/clarifying-upside-and-positive-risk
16
16
Op cit Freund, “Good Risk or Bad Risk?”
17
17
Op cit ISO, ISO 31000:2018 Risk management – Guidelines

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 9 OPTIMIZING RISK RESPONSE

Allowing Risk Appetite to Guide

Decision Making
Efficient and optimized risk response decisions need
Managing Risk on the Loss
guidelines and guardrails. For most enterprises, this
comes in the form of risk appetite, risk tolerance, and risk
Exceedance Curve
capacity thresholds. ISACA’s Risk IT Framework, 2nd The loss exceedance curve (also known as an
Edition, defines these terms as follows: exceedance probability curve) is a common risk data
visualization used in finance, insurance and other fields
• Risk appetite—The broad-based amount of risk an enterprise or
showing the probability of losses exceeding a
other entity is willing to accept in pursuit of its mission (or
predetermined level. It is an invaluable tool for enterprises
vision).
seeking to fully optimize the risk management and risk
• Risk tolerance—The acceptable range relative to the
response process. It provides decision makers with
achievement of a given objective (best when quantified in terms
complete risk information, showing the full range of
of the same unit measure as the related objective).
losses stemming from an adverse event.
• Risk capacity—The objective magnitude or amount of loss that

an enterprise can tolerate without risking its continued Figure 4 shows an enterprise’s risk tolerance, with an
existence.18 18
example risk graphed to a loss exceedance curve. This

The COSO and COBIT Focus Area: Information and enterprise is willing to take on more probable risk at the

Technology Risk frameworks guide the risk manager to lower dollar amounts to achieve its objectives, but it

use risk appetite and tolerance as the starting point when becomes risk-averse at higher ranges. Because risk-taking

choosing risk response options.19 , 20 If the risk is well

19 20
is an unavoidable component of running an enterprise, the

below tolerance, the enterprise may choose to accept the focus of risk management should not be on mitigation,

risk, focusing resources on risk that exceeds the contrary to typical heat maps.

established thresholds. If the assessed risk exceeds
tolerance, the enterprise should choose a method that
reduces it.
If the risk is well below tolerance, the enterprise may
choose to accept the risk, focusing resources on risk that
exceeds the established thresholds. If the assessed risk
exceeds tolerance, the enterprise should choose a method
that reduces it.
After reducing risk to a level that is within tolerance, the
The focus of risk management—and by extension, risk
response—should be to help the enterprise use a data-
driven approach that aligns with its objectives both to take
and mitigate risk. A recent ISACA Journal article
elaborates on this point: “The end state of the (response)
activity is risk integrated with the corporate strategy and
business management weighing risk/return implications
and potential risk trade-offs in their strategic and
operational decisions.”21 21

enterprise should establish regular monitoring paired with

key risk indicators (KRIs).

18
18
Op cit ISACA, Risk IT Framework, 2nd Edition
19
19
Op cit Committee of Sponsoring Organizations of the Treadway Commission (COSO)
20
20
Op cit ISACA, COBIT Focus Area: Information and Technology Risk
21
21
Vohradsky, D.; “A Model and Best Practices for Risk Transformation,” ISACA® Journal, vol. 3, May 2019, www.isaca.org/resources/isaca-
journal/issues/2019/volume-3/a-model-and-best-practices-for-risk-transformation

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 10 OPTIMIZING RISK RESPONSE

FIGURE 4: Loss Exceedance Curve

100%
90%
Probability of exceeding loss

80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000

Loss exceeded
Loss exceedance tolerance Risk #1

Another advantage of the loss exceedance curve is that it
gives decision makers the ability to decide where on the
curve they want to manage risk. For example, a risk-
averse enterprise may choose to focus response efforts
on risk with a 50% probability of exceeding $10 million; an
enterprise that is risk-seeking and has capital reserves to
cover losses may manage risk with a 10% probability of
exceeding $25 million.
Another advantage of the loss exceedance curve is that it
gives decision makers the ability to decide where on the
curve they want to manage risk.
example $25 million or more at 10%. Risk seekers have a
higher tolerance for risk and are willing to accept losses
that are below $25 million, and only mitigate extreme
losses.
Plotted on a heat map, Risk #1 in figure 4 probably would
end up in the red quadrant because it is possible to have
$30 million in losses—the upper end of the loss range.
Heat maps show a single outcome. The loss exceedance
curve shows that risk can have a range of outcomes. A
data breach is still a data breach, regardless of whether
500 records or 500 million records are compromised, but

Risk adverse organizations will want to respond to a wide losses to the enterprise will significantly differ. Giving

range of possible outcomes; therefore, they could manage leadership insight and transparency into the full range of

to 50% probability. They will invest in mitigation efforts to risk is a significant advantage of using a loss exceedance

reduce the chances of losses equaling or exceeding $10 curve over using heat maps.22 22

million because they can’t or won’t tolerate the loss. Risk Giving leadership insight and transparency into the full
seeking orgs will want to hold on to that capital for other range of risk is a significant advantage of using a loss
exceedance curve over using heat maps.
projects and will only manage worst-case scenarios - for

22
22
More information on creating loss exceedance curves can be found in Hubbard, D.; R. Seiersen; How to Measure Anything in Cybersecurity Risk, Wiley,
USA, 2016

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 11 OPTIMIZING RISK RESPONSE

Making the Most of Risk Mitigation

According to COBIT 2019: Designing an Information and
Technology Governance Solution, mitigate is the most
common form of risk response. 23 23
This is the end-to-end
process of designing and identifying mitigating controls
that align with enterprise governance and management
objectives for risk managers. Risk mitigation can mean
implementing traditional controls, such as preventive,
detective or corrective controls.
Example
Control-based mitigation: A comprehensive risk
assessment reveals inadequate controls in the area of
financial and accounting fraud. Management
implements a dual control system requiring two people
for the performance of a financial transaction. This
example is a preventive control; it is designed to prevent
an event from occurring. While not foolproof, it will
reduce the frequency of events.
It can also involve using people, processes or
technologies—or a combination—to influence the factors
that comprise risk.
Example
People and process-based mitigation: The risk of a data
breach exceeds an enterprise’s appetite, and the
internal security team is not staffed to respond in a
reasonable time frame. Leadership puts incident
response, forensics and public relations firms on
retainer to react quickly to an incident. While this
increases costs now, the firm’s analysis shows that
retainers lower the projected overall response cost for
significant cyber incidents. Retainers do not affect the
frequency of occurrence, but they can reduce the loss
magnitude.
Options such as these and other risk mitigation methods
need to be weighed with the cost of implementation and
any other effects they may have. Enterprises should
always consider the cost of the response, opportunity
costs, any secondary risk mitigation efforts may cause,
and potential unintended consequences.
Ascertaining the Cost of
Response
Enterprises that want to optimize their risk response
should start by tying budget to risk reduction. Consider
this: If investments move risk from red to yellow, the
enterprise is only halfway there. Risk managers can verify
the risk is mitigated, but they do not know how much risk
exposure each dollar of investment eliminated.
Economists call this the “value for money”—also known as
“bang for the buck.” If the investment-to-risk reduction
ratio is off, an enterprise could be spending more money
than it is getting back in mitigation, resulting in significant
inefficiencies.
For example, a company could be spending $10 million
per year on risk mitigation measures, only to reduce risk
by $2 million. This inefficiency would never be revealed
with qualitative risk techniques: Year over year, reds would
get mitigated to yellow, and yellows would get mitigated
to green, obfuscating the unfortunate truth. Quantitative
risk analysis would reveal this inefficiency quickly, giving
leadership the chance to respond. The enterprise could
choose alternative mitigation measures, share the risk
with a third party, or simply stop mitigating the risk and
use the money and resources elsewhere, where it would
provide more value.
One method to ascertain the value for money as it
pertains to risk is to run a series of comparison risk
analyses. The first analysis would establish the baseline

23
23
ISACA, COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018, www.isaca.org/bookstore/bookstore-
cobit_19-digital/wcb19dgd

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

12 OPTIMIZING RISK RESPONSE

or current risk, and each subsequent analysis would
measure proposed mitigation activities, providing valuable
data on where to invest.
Example
A US-based pharmaceutical company is worried about
intellectual property (IP) theft. There have been several
incidents in the past of both accidental and intentional
disclosure of confidential company information. Several
recent risk and control analyses have revealed an
inadequate control environment. Furthermore, IP theft
is above the established appetite for risk, so leadership
under consideration. The first is implementing data loss
prevention (DLP): a costly but effective suite of security
controls that actively scan, detect and block data
exfiltration, represented by the blue curve.
The second proposal is a much less expensive option:
Over time, implement robust employee vetting,
background checks, regular credit checks and compliance
training, represented by the green curve.
The risk analysis and loss exceedance curve provide the
following information:
• Enterprise’s current risk tolerance

wants this mitigated urgently, as long as the cost is • Current or baseline risk from intellectual property theft

commensurate with the expected reduction in risk. • Projected risk reduction from two different risk response

proposals
The loss exceedance curve in figure 5 shows how the
A quantitative risk analysis combined with the projected
example company has run several analyses, intending to
costs of both projects gives leadership a much more
provide information to help make informed security
accurate picture of total return on investment than
investment decisions. There are two security controls
qualitative methods do.

FIGURE 5: Risk Mitigation—Two Control Options

100%
90%
Probability of exceeding loss

80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $20,000,000 $40,000,000 $60,000,000 $80,000,000 $100,000,000

Loss exceeded
Loss exceedance tolerance Implement DLP Increased employee checks and training Current risk

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 13 OPTIMIZING RISK RESPONSE

Optimizing Risk Sharing

Risk sharing (or transfer) is very common in the financial
sector, where markets and products exist to buy and sell
risk (e.g., reinsurance). In these arrangements, risk is
quantified and spread around various parties to limit
losses. Of course, all parties share in both the upside and
the downside of such opportunities. Risk transfer and
sharing are typically achieved through insurance,
contractual transfer and outsourcing.
• Insurance for operational, cyber, enterprise and other kinds of
business risk is no different from automobile or health
insurance; individuals and entities purchase a product from an
issuing company that guarantees a monetary payout if the
insured event occurs.
• Contractual transfer is a form of risk sharing. The primary
party’s losses are limited by an indemnification, hold harmless,
or other legal agreement that obligates another party to pay for
The enterprise is still accountable for the risk and should
measure, manage and monitor it. This is especially true in
the case of technology, operational and enterprise risk.
Risk sharing and risk shifting would be more appropriate
labels for these types of arrangements.
Example
An enterprise uses a cloud service provider to handle all
financial transactions. The master service agreement
includes contractual language that states that cloud
providers will be responsible for all costs of responding
to a data breach and a one-time cash payout of
$100,000 if one should occur. This agreement reduces
the risk of a data breach on financial systems by
reducing the magnitude of financial losses.

a portion of losses. In both examples, companies (insurance and cloud

• Outsourcing is a form of risk sharing often utilized when the
risk exposure generated by a particular activity is excessive. The
entire activity is outsourced to a third party.
In the above examples, aggregated risk scenarios, rather
than individual risk scenarios, are transferred to a third
party. 24 24
Risk transfer is something of a misnomer. It is
rare that risk is truly transferred; enterprises will still incur
some cost if an event occurs, whether it is a response
cost, communications or public relations cost, or
reputational damage.
Example
The forecast cost of a data breach exceeds an
enterprise’s risk appetite, and the company does not
have enough cash reserves to cover the worst-case
outcome. The company takes out a cyberinsurance
providers) are the recipients of risk via the risk-sharing or
transfer arrangement.
There are three general inefficiencies that enterprises
need to consider when using risk sharing as a response
option:
• Moral hazard
• Inability of a third party to realistically accept risk
• Misconception that all forms of loss are covered
Moral Hazard
Moral hazard is an interesting phenomenon associated
with the unintended consequence of insurance policies. It
describes a situation in which there is a level of
information asymmetry—that is, one party has more
information than the other—which leads to an increase in
risk-taking on the part of the insured.25 25

policy to cover some of the loss factors, bringing risk

exposure to an acceptable level.

24
24
Freund, J.; “Not All Risk Treatment Options Are the Same,” @ISACA, 15 March 2021, www.isaca.org/resources/news-and-
trends/newsletters/atisaca/2021/volume-6/not-all-risk-treatment-options-are-the-same
25
25
Rowell, D.; L. Connelly; “A History of the Term ‘Moral Hazard,’” Journal of Risk and Insurance, 8 February 2012, https://doi.org/10.1111/j.1539-
6975.2011.01448.x

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 14 OPTIMIZING RISK RESPONSE
Imagine that after purchasing cyberinsurance, a company
reduces security controls that protect customer data
below reasonable limits because it no longer bears the
total cost of a cyber incident. Humans can be irrational
when making risk decisions. Malcolm Gladwell expands
on this concept: “When ABS brakes are fitted to cars,
people drive faster and have more accidents because they
think they are safer.” 26 26
This is a type of unintended
consequence called the Peltzman Effect.
Moral hazard comes into play when the act of purchasing
insurance causes enterprises to behave differently. The
insured make risk response decisions based on the
information they possess, assuming that another party—
the insurer—will absorb any costs. Moral hazard is nearly
always problematic for insurance markets, 27 27
but both risk
and opportunity can arise for the insured.
Moral hazard comes into play when the act of purchasing
insurance causes enterprises to behave differently.
A driver with comprehensive auto insurance might drive
more recklessly than an uninsured driver, for example. The
uninsured driver would bear the total cost and
consequences of reckless driving, while the insured driver
would have transferred most of the risk to a third party.
Most would consider such behavior irrational. After all,
severe injury or death can result from reckless driving—
not all risk can be transferred. However, for an enterprise,
purchasing insurance could reduce overall risk in certain
areas, allowing it to take on more risk. If carefully
considered, this could be a rational choice for the
policyholder.
Having a structured and formalized risk-management
program can help reduce irrational risk-taking and moral
hazard. The more rigor in such a program (e.g., risk
quantification), the more unintended negative
consequences can be reduced.
26
26
Gladwell, M.; What the Dog Saw, Little, Brown and Company, USA, 2009
27
27
Berger, L.; J. Hershey; “Moral Hazard, Risk Seeking, and Free Riding,” Journal of Risk and Uncertainty, October 1994,
https://ideas.repec.org/a/kap/jrisku/v9y1994i2p173-86.html
28
28
Op cit Vose
29
29
Bakshi, S.; “Is Outsourcing Truly Considered Risk Sharing?,” @ISACA, 12 May 2021, www.isaca.org/resources/news-and-
trends/newsletters/atisaca/2021/volume-12/is-outsourcing-truly-considered-risk-sharing
© 2021 ISACA. All Rights Reserved.
Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)
Inability of a Third Party to
Realistically Accept Risk
Contractual transfer of risk is a common form of risk
sharing seen in contracts, master service agreements,
hold harmless clauses, and other agreements between
parties. Generally, this involves one party agreeing, directly
or indirectly, to cover a portion of losses if an adverse
event should occur. Contractual transfer can be an
effective method of reducing an enterprise’s risk exposure.
For example, suppose a company has outsourced its
payments and e-commerce services to a Software as a
Service (SaaS) provider. In the contractual agreement
between the company and the SaaS provider, language is
typically included that states the SaaS provider is
responsible for securing data and responding to
cyberintrusions. Portions of loss-event costs, such as the
initial response and forensics, are covered by the provider,
potentially lowering the risk for the enterprise.
However, enterprises need to keep an essential factor in
mind if they seek to optimize risk sharing via this method.
The third party may agree to take on additional risk, but it
may not have adequate capital reserves if the loss event
should occur. In Risk Analysis: A Quantitative Guide, 3rd
ed., David Vose describes a situation in which risk transfer
is inefficient: A transferring party that is much larger than
the accepting party induces a smaller company to
contractually agree to make payments if a loss event
occurs. However, because the smaller company does not
have capital reserves to cover the exposure, it charges a
premium to the larger company. The larger company may
pay an excessive amount to transfer the risk—much more
than the relative reduction in risk exposure gained.28 28
A recent ISACA article elaborates on this point in
examining outsourcing as a method of risk
transference.29 Companies can agree to anything on
29
paper, but the ability to absorb accepted risk during and
 15 OPTIMIZING RISK RESPONSE

after an adverse event may be beyond reach for some

companies, especially smaller ones. The article
recommends that companies using outsourcing as a
method of risk response implement “a rigorous and
continuous monitoring process based on key risk
indicators.”
The Misconception That All
Gap Analysis on Risk Sharing
Considering that insurance may not cover all areas of
loss, that it is purchased on aggregate risk instead of a
single scenario, and that it can lead to irrational decision
making, it is essential to carefully analyze the effect
insurance has on risk exposure before making a purchase
and at regular intervals thereafter. This can be best
achieved by using cyberrisk quantification for relevant

Forms of Loss Are Covered
A common misconception when using risk transference
as a reduction method is the perception that the policy
covers all forms of loss. For example, suppose an
enterprise’s cyberinsurance policy is for $50 million and
the forecast losses from a data breach are $50 million. In
this case, it does not follow that risk exposure is reduced
to zero. Cyberinsurance—and all other insurance policies—
cover specific events and conditions. Understanding the
factors that comprise a loss event, identifying which ones
apply to particular risk scenarios, and subsequently
pricing them is exceedingly hard for enterprises that use
qualitative risk methodologies. Those that use
quantitative models will have a much easier time
scenarios, performing a gap analysis of the forms of loss
that are covered and not covered, and using the results to
make resource allocation decisions.
Considering that insurance may not cover all areas of
loss, that it is purchased on aggregate risk instead of a
single scenario, and that it can lead to irrational decision
making, it is essential to carefully analyze the effect
insurance has on risk exposure before making a purchase
and at regular intervals thereafter.
Performing a gap analysis of individual loss factors that
are being transferred and not transferred can illuminate
and inform whether an enterprise is making the right risk
response choice. Figure 6 shows Open FAIR’s common
forms of loss that can arise from an operational, security
or enterprise risk incident.30 30

understanding those factors.

Cyberinsurance—and all other insurance policies—cover
specific events and conditions. Understanding the factors
that comprise a loss event, identifying which ones apply to
particular risk scenarios, and subsequently pricing them is
exceedingly hard for enterprises that use qualitative risk
methodologies.
As in the case of insurance, not all forms of loss are
transferred by contractual agreements. Productivity
losses, reputational damages, and the enterprise’s
response costs may not be fully transferred.
Enterprises that are considering transferring risk via
outsourcing, insurance or contracts can use figure 6 to
perform a gap analysis. The table may need modification
based on enterprise needs, but risk managers can use it
as a starting point. Reading the legal agreement or policy
is necessary to ascertain loss forms that are retained.
A gap analysis will help leadership get a clearer view of
how much risk is transferred and how much is retained. It
will help inform further decisions regarding the purchase
of additional coverage, ways to strengthen contractual
language, the possibility of self-insuring, or performing
additional risk analyses.

30
30
Suarez, T.; “A Crash Course on Capturing Loss Magnitude with the FAIR Model,” FAIR Institute Blog, 20 October 2017, www.fairinstitute.org/blog/a-crash-
course-on-capturing-loss-magnitude-with-the-fair-model

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

16 OPTIMIZING RISK RESPONSE

FIGURE 6: Risk Transfer/Sharing Gap Analysis Using Open FAIR’s 6 Forms of Loss

Form of Loss Loss Transference Gap?

Productivity Lost revenue
Lost wages
Response Incident response team
Forensics
Management meetings
Customer notification
Credit monitoring
Replacement Repair/replace capital assets
Competitive advantage Loss of intellectual property
Loss of trade secrets
Loss of merger and acquisition information
Loss of market conditions information
Fines and judgment Regulatory fines
Class action lawsuits
Bail
Reputation Reduced market share (lost customers)
Decreased projected sales growth
Reduced stock price
Increased cost of capital
Source: The Open Source, “Risk Taxonomy (O-RT), Version 3.0,” 18 Nov. 2020, figure 4.5.1, https://publications.opengroup.org/standards/open-fair-standards/c20b

Risk Acceptance
Acceptance is a valid response when risk is below the
enterprise’s tolerance for risk, or when the cost of
mitigating or transferring the risk outweighs the projected
reduction in risk exposure.
Some enterprises will accept risk and implement
monitoring (e.g., key risk indicators) to detect changes.
Other risk can be accepted temporarily, buying time to
design countermeasures or free up capital to invest in
mitigation projects. Some enterprises take the position
that all risk should be mitigated, as long as it is cost-
effective. Regardless of the approach taken, it should be
consistent, aligned with the enterprise’s objectives and
appetite for risk.
Technically speaking, all risk response options except for
“avoid” involve some element of risk acceptance, as it is
not possible to entirely mitigate or transfer all risk. Some
risk will always be retained, even when risk is reduced or
shared with a third party. Risk portfolios must reflect the
retained risk.
Accepting risk can be a good option when the following
circumstances are present:
• A particular risk is below the enterprise’s appetite. Risk is
accepted and monitored to free up resources to respond to risk
that exceeds the appetite.
• The cost of mitigating the risk is higher than a projected
reduction in risk exposure.
• A risk response would not measurably change the risk.
• Other business projects or initiatives need resourcing first.
In all cases, KRIs should be implemented to monitor the
risk, threat landscape and control environment. KRIs will
help management know if a previously accepted risk is
rising, prompting action before the risk exceeds the
enterprise’s appetite.
Another consideration is ensuring that the enterprise has
enough capital reserves to cover all retained risk. Capital
reserves can be viewed as an emergency fund—typically
cash set aside for contingencies or to offset losses. A
single risk probably would not need this kind of

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

17 OPTIMIZING RISK RESPONSE

consideration, especially if there is alignment with the risk short period. Implementing KRIs and ensuring sufficient
appetite. However, relevant risk should be considered in capital reserves are the best ways to optimize the “accept”
aggregate—especially if an event could occur within a risk response option.

Beware of Secondary Risk

Secondary risk (not to be confused with the Open FAIR threats better than enterprises, which are often pulled in
term “secondary loss”) can be common, but it is rarely many competing directions.
analyzed in connection with risk mitigation activities.
However, outsourcing email services can create new,
Secondary risk occurs when risk response options, such
secondary risk that did not previously exist in the
as transference or mitigation, create additional risk. For
enterprise. For example, there may be additional
example, suppose a company has decided to move all
regulatory or contractual risk in highly regulated
email services from in-house, internally managed servers
environments with outsourcing if personally identifiable
to a fully outsourced model (e.g., Gmail for Business,
information (PII) is involved. If a SaaS provider uses
Exchange Online). Outsourcing email not only reduces
offshore data centers, additional risk needs to be
workload in the information technology department—
identified and analyzed.
presumably saving money—but also reduces risk in
several areas. It can be challenging to identify secondary risk.
Conducting new- or emerging-risk brainstorming
Losses from email outages, phishing scams, data loss
workshops with a diverse group of people is an effective
and data compromise are reduced because it is often
way to identify the additional risk that may arise from
presumed that SaaS companies can protect against these
implementing risk response.

Increase Risk—A Viable Option

How an enterprise chooses to respond to risk involves
many factors that lie outside the obvious: optimizing
investments. An enterprise’s risk culture—beliefs, ethics,
how risk is perceived—and overall strategy plays just as
much of a role, if not more, than money. If an enterprise’s
risk culture supports it, strategically and deliberately
choosing to increase risk is a viable risk strategy. Even
enterprises that do not prefer to increase risk as a
strategy may inadvertently find themselves doing so, due
to secondary risk.
Through risk appetite, enterprises should clearly define
when and under what circumstances risk can be
increased and when it should not—e.g., when risk
compromises safety or may result in the loss of life.
Willingly and deliberately choosing to expand one’s risk
exposure may seem counterintuitive. Still, it is a valid way
to respond to risk—especially if risk managers look
holistically at an enterprise’s strategic objectives and how
response plays a role. In the financial sector, choosing to
increase risk is common, with parties choosing to take on
liabilities in order to share the risk—and the rewards.
In cases of technology, operational and enterprise risk,
leadership also may choose to increase risk in a particular
area. Some instances:
• Mismatched cost/benefit—Risk mitigation costs exceed the
reduction of risk exposure. For example, if $20 million in annual
security projects reduces risk by $5 million, the investment does

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

 18 OPTIMIZING RISK RESPONSE

not make economic sense. Mitigation should be reduced, helping leadership forecast how and where controls
removed or redesigned. contribute to risk reduction.
• User friction—User friction is “anything that prevents a user
Figure 7 shows a hypothetical example of a company’s
from accomplishing a goal in your product.”31 User friction can
31

analysis of whether to remove controls and potentially

take the form of onerous security requirements, controls that
increase risk. The current risk level, shown in blue, is
make an application difficult to use, or a process that creates an
below the enterprise’s appetite for risk. The enterprise is
unacceptable amount of time to complete a task. User friction
considering removing a security control for internal users
can affect customers and internal users, and security features
because of poor user experience and a significant
or mitigating controls can be removed to alleviate some of
decrease in productivity. The enterprise’s risk
these problems.
management team first measures the current risk with
• Opportunity cost—Enterprises may decide to remove or reduce
security controls. The team then gathers internal incident
risk mitigation measures to free up capital for other projects.
data, performs external research and interviews a cross-
• Self-insurance—Enterprises with enough capital reserves to
section of subject-matter experts to develop a forecast of
cover losses stemming from an event may choose to cancel
risk after control removal (plotted in figure 7—see legend,
insurance and self-insure, which will increase the exposure in
“After control removal”). The forecast risk is still below the
relevant risk previously covered by the policy.
risk appetite. The probability of losses exceeding $40
The key to strategic risk increase is to carefully identify the million increases from 5% to 12%, which is acceptable to
factors that comprise risk and identify the pros and cons management given that control removal will net $15
of increased risk. Risk quantification plays a crucial role in million in savings annually.

FIGURE 7: Removing Controls, Before and After Comparison

100%
90%
Probability of exceeding loss

80%
70%
60%
50%
40%
30%
20%
10%
0%
$0 $20,000,000 $40,000,000 $60,000,000 $80,000,000 $100,000,000

Loss exceeded
Loss exceedance tolerance Current risk After control removal

31
31
Rekhi, S.; “The Hierarchy of User Friction,” Medium, 6 July 2017, https://medium.com/@sachinrekhi/the-hierarchy-of-user-friction-e99113b77d78

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

19 OPTIMIZING RISK RESPONSE

Another Form of Risk Increase:
Recipient of Risk Sharing
There is one more common form of choosing to increase
risk, although enterprises that engage in it may not think
of it this way. It occurs when an enterprise agrees to be
the recipient of risk via sharing or transfer.
Third-party service providers can also fall into this
category; they can choose to take on risk by bringing on
more clients, increasing their risk exposure to
cyberattacks. Assuming that the enterprise can cover the
exposure from a capital reserves standpoint and risk
models are adjusted as risk increases, this is just the price
of doing business.

Conclusion
Risk response is complex. Choosing and optimizing an increasing is missed because the last assessment is too
efficient response goes beyond picking “mitigate” as a old to inform decisions. Annual or semi-annual new and
default when a risk analysis is complete and is fraught emerging risk workshops with a diverse cross-section of
with additional problems like unintended consequences, subject-matter experts can lead to finding risk-register
inefficiencies and moral hazard. Intrepid risk managers blind spots. Risk workshops will help inform the
will always have their fingers on the pulse of an ever- management of risk overall, including response.
changing risk landscape. Threat actors change and evolve
The objective of risk response is to achieve enterprise
over time. Controls also evolve; evolving password and
goals through efficient risk management. The purpose is
authentication requirements are a good example. As
not risk mitigation. Optimized risk response may mean the
regulations, laws and legal requirements change, so do
strategic acceptance, transference or increase of risk if
the loss magnitude forecasts of risk analyses.
the analysis supports it.
Risk response should be active and continuous, not a
Risk quantification may be the risk manager’s single most
passive “set it and forget it” approach. Implementing key
effective tool in identifying and weighing the pros and
risk, performance and control indicators (KRI, KPI, KCI) to
cons of available options. Enterprises not currently using
serve as early warnings that risk changes may be on the
risk quantification should consider implementing it, at a
horizon is one way to be proactive. Another is to
minimum, to assist in making the most critical strategic
continuously reassess risk, even risk that is way below
risk decisions.
tolerance and has long been accepted. Leadership does
not want to be caught off guard if a risk that is suddenly

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

20 OPTIMIZING RISK RESPONSE

Acknowledgments
ISACA would like to acknowledge:

Lead Developer Board of Directors

Tony Martin-Vegue Gregory Touhill, Chair Brennan P. Baybeck
CISM, CISSP, OpenFAIR CISM, CISSP CISA, CISM, CRISC, CISSP
Netflix, USA Director, CERT Center, Carnegie Mellon ISACA Board Chair, 2019-2020
University, USA Vice President and Chief Information
Expert Reviewers Security Officer for Customer Services,
Pamela Nigro, Vice-Chair
Oracle Corporation, USA
Evan Wheeler CISA, CRISC, CGEIT, CRMA
CRISC Vice President–Information Technology, Rob Clyde
NDVR, Inc., USA Security Officer, Home Access Health, USA CISM
ISACA Board Chair, 2018-2019
Mike Hughes John De Santis
Independent Director, Titus, and Executive
CISA, CISM, CGEIT, CRISC, CDPSE Former Chairman and Chief Executive
Chair, White Cloud Security, USA
Prism RA, UK Officer, HyTrust, Inc., USA

Dirk Steuperaert Niel Harper

CISA, CGEIT, CRISC
IT-In-Balance, Belgium
Sunil Bakshi
CISA, CISM, CGEIT, CRISC, CDPSE, CeH,
CISSP, PMP, ISO27001 LA
India
David Vohradsky
CISA, CISM, CGEIT, CRISC, QSA
Cyberisk Australia, Australia
Prometheus Yang
CISA, CISM, CRISC, CFE
Standard Chartered Bank, China
Jack Freund, Ph.D.
CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
USA
CISA, CRISC, CDPSE
Chief Information Security Officer, UNOPS,
Denmark
Gabriela Hernandez-Cardoso
Independent Board Member, Mexico
Maureen O’Connell
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA
Veronica Rose
CISA, CDPSE
Founder, Encrypt Africa, Kenya
David Samuelson
Chief Executive Officer, ISACA, USA
Gerrard Schmid
President and Chief Executive Officer,
Diebold Nixdorf, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC
Chief Executive Officer, introSight Ltd.,
Israel

Tracey Dedrick
ISACA Board Chair, 2020-2021
Former Chief Risk Officer, Hudson City
Bancorp, USA

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)

21 OPTIMIZING RISK RESPONSE

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams that effectively drive IT audit, risk management and security
priorities forward. ISACA is a global professional association and learning Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
Support: support.isaca.org
work in information security, governance, assurance, risk and privacy to drive
innovation through technology. It has a presence in 188 countries, including Website: www.isaca.org
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.

Provide Feedback:
DISCLAIMER
www.isaca.org/optimizing-risk-
ISACA has designed and created Optimizing Risk Response (the “Work”) response
primarily as an educational resource for professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work Participate in the ISACA Online
should not be considered inclusive of all proper information, procedures and Forums:
tests or exclusive of other information, procedures and tests that are https://engage.isaca.org/onlineforums

reasonably directed to obtaining the same results. In determining the propriety Twitter:
www.twitter.com/ISACANews
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the LinkedIn:
www.linkedin.com/company/isaca
particular systems or information technology environment.
Facebook:
www.facebook.com/ISACAGlobal
RESERVATION OF RIGHTS
Instagram:
© 2021 ISACA. All rights reserved. www.instagram.com/isacanews/

Optimizing Risk Response

© 2021 ISACA. All Rights Reserved.

Personal Copy of Achmad Arzal Fariz (ISACA ID: extranet\arzal.fariz@gmail.com)