Blog

Implementing Risk Responses — RockCyber

- by Your Trusted Cybersecurity Partners - Leave a Comment

[ad_1]

Last time I talked about the 3rd point under the principle of Coso’s management of Performance, Which was a risk priority. This week I will go to the 4th point under execution that is Realizes risky answers

The performance has 5 points:

  1. Identifies the risk

  2. Evaluates the weight of the risk

  3. Prioritize the risk

  4. Realizes risky answers

  5. Develops portfolio views

Once you prioritize the risks, your organization must evaluate and apply treatment for any risk. Your organization will strive to ensure that the risk is within the risk of appetite and tolerance to the risk in the most profitable way. Cost/benefits analysis are usually done with different risk treatment options to determine the optimal and effective solution.

The same should be done within individual business units and in your case probably the cybersecurity team. The ERM team is likely to lean you to help you identify cost -effective but impactful risk treatment solutions.

There are usually four types of risk reactions that the organization can take:

  1. Avoid: Change the strategy to avoid risk. Avoiding risk is usually considered when there is no cost -effective method to reduce the risk of cybersecurity to an acceptable level, as defined by the admission and tolerance of the risk of the organization or organization.

  2. Mitigation: Apply risky treatment that reduces threats, vulnerabilities, likelihood or effect of a risk so that the residual risk is within the course of risking and tolerance.

  3. Transfer: Most organizations consider sharing some of the risk with another when it has no complete risk control. Think of SAAS outsourcing or investing in cyber insurance

  4. Accept: Accept the risk as it is, as the risk falls into admission of risk and tolerance, but continue to monitor the risk if the risk falls beyond approved tolerance.

Once you decide on the treatment of risk and security control, you need to develop a plan for corrective action. A Correction plan is a step -by -step plan of action with defined basic stages that owners at risk will follow to treat the risk. If the risk register is a “what” corrective plan is “how and when”.

The development and use of corrective plans should be part of the risk management strategy of your organization and standardized throughout the organization, but this requires purchase as it will inevitably generate work for other teams.

Take this entrance by identifying how work in the work flows of other teams occurs. If the only projects that receive attention are the ones that are spoken of in a weekly Scrum meeting, then make sure your initiatives are included there.

Next time, it talks well about developing a portfolio view.

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something. Have a nice week!

[ad_2]

Related Posts

The Only Constant is Change. Can You Keep Up? — RockCyber

How Hungry Are You For Risk?

Strategy, Frameworks and More Frameworks — RockCyber

About Your Trusted Cybersecurity Partners

View all posts by Your Trusted Cybersecurity Partners →

Leave a Reply

Your email address will not be published. Required fields are marked *