Operational Risk Treatment

Recently I’ve blogged about how to reduce Risks from Threats using Vulnerabilities by eliminating Threats, by reducing Vulnerabilities or by reducing Consequences – or by a combination. Acting this way is an example of one of the three major strategies for Operational Risk Treatment – Risk Reduction.

The Risk Management Concept is about optimizing your outcome of Risk. Your Management should contain your organization’s expertise on managing Business Risk, and you may be your organization’s Operational Risk Management guru. If so, you know that Operational Risk Treatment is about minimizing the total costs for Risk outcome and protection and about keeping your Risk within limits defined by your organization’s Risk Appetite.

One good source for knowledge about Operational Risk Management is ISO/IEC 27005. For those of you who prefer free access to information, open sources include ENISA, who presents the following list of your Risk Treatment options:

1. to avoid the Risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that Risk; 
2. to modify the likelihood of the Risk trying to reduce or eliminate the likelihood of the negative outcomes; 
3. to try modifying the consequences in a way that will reduce losses; 
4. to share the Risk with other parties facing the same Risk (insurance arrangements and organizational structures such as partnerships and joint ventures can be used to spread responsibility and liability); (of course one should always keep in mind that if a Risk is shared in whole or in part, the organization is acquiring a new Risk, i.e. the Risk that the organization to which the initial Risk has been transferred may not manage this Risk effectively.) 
5. to retain the Risk or its residual Risks 

The (residual) Risk level is a result of your application of the three major Risk Treatment strategies: Risk Reduction (p. 2 & 3), Risk Avoidance (p. 1) and Risk Sharing (p. 4). Or, of course, if Risk is acceptable from the beginning, by applying the fourth strategy: Retaining Risk (p.5). In either case, you may not stop treating Risk before each and every (residual) Risk is either explicitly accepted by the Risk Owners or fitting into your organization’s Risk Appetite picture. I.e. every application of a Risk treatment Strategy ends in Retaining Risk.