According to its definition, Risk Treatment is the process of selecting and implementing of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization. At this level, security measurements are verbal descriptions of various security functions that are implemented technically (e.g. Software or Hardware components) or organizationally (e.g. established procedures).
Having identified and evaluated the risks, the next step involves the identification of alternative appropriate actions for managing these risks, the evaluation and assessment of their results or impact and the specification and implementation of treatment plans.
Since identified risks may have varying impact on the organization, not all risks carry the prospect of loss or damage. Opportunities may also arise from the risk identification process, as types of risk with positive impact or outcomes are identified.
Management or treatment options for risks expected to have positive outcome include:
- starting or continuing an activity likely to create or maintain this positive outcome;
- modifying the likelihood of the risk, to increase possible beneficial outcomes;
- trying to manipulate possible consequences, to increase the expected gains;
- sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains;
- retaining the residual risk.
Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:
- to avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk;
- to modify the likelihood of the risk trying to reduce or eliminate the likelihood of the negative outcomes;
- to try modifying the consequences in a way that will reduce losses;
- to share the risk with other parties facing the same risk (insurance arrangements and organizational structures such as partnerships and joint ventures can be used to spread responsibility and liability); (of course one should always keep in mind that if a risk is shared in whole or in part, the organization is acquiring a new risk, i.e. the risk that the organization to which the initial risk has been transferred may not manage this risk effectively.)
- to retain the risk or its residual risks;
In general, the cost of managing a risk needs to be compared with the benefits obtained or expected. During this process of cost-benefit judgments, the Risk Management context established in the first process (i.e. Definition of Scope and Framework) should be taken into consideration. It is important to consider all direct and indirect costs and benefits whether tangible or intangible and measured in financial or other terms.
More than one option can be considered and adopted either separately or in combination. An example is the effective use of support contracts and specific risk treatments followed by appropriate insurance and other means of risk financing.
In the event that available resources (e.g. the budget) for risk treatment are not sufficient, the Risk Management action plan should set the necessary priorities and clearly identify the order in which individual risk treatment actions should be implemented.
Treatment plans are necessary in order to describe how the chosen options will be implemented. The treatment plans should be comprehensive and should provide all necessary information about:
- proposed actions, priorities or time plans,
- resource requirements,
- roles and responsibilities of all parties involved in the proposed actions,
- performance measures,
- reporting and monitoring requirements.
Action plans should be in line with the values and perceptions of all types of stakeholders (e.g. internal organizational units, outsourcing partner, customers etc.). The better the plans are communicated to the various stakeholders, the easier it will be to obtain the approval of the proposed plans and a commitment to their implementation.
As with all relevant management processes, initial approval is not sufficient to ensure the effective implementation of the process. Top management support is critical throughout the entire life-cycle of the process. For this reason, it is the responsibility of the Risk Management Process Owner to keep the organization’s executive management continuously and properly informed and updated, through comprehensive and regular reporting
The Risk Management plan should define how Risk Management is to be conducted throughout the organization. It must be developed in a way that will ensure that Risk Management is embedded in all the organization’s important practices and business processes so that it will become relevant, effective and efficient.
More specifically, Risk Management should be embedded in the policy development process, in business and strategic planning, and in change management processes. It is also likely to be embedded in other plans and processes such as those for asset management, audit, business continuity, environmental management, fraud control, human resources, investment and project management.
The Risk Management plan may include specific sections for particular functions, areas, projects, activities or processes. These sections may be separate plans but in all cases they should be consistent with the organization’s Risk Management strategy (which includes specific RM policies per risk area or risk category).
The necessary awareness of and commitment to Risk Management at senior management levels throughout the organization is mission critical and should receive close attention by:
- obtaining the active ongoing support of the organization’s directors and senior executives for Risk Management and for the development and implementation of the Risk Management policy and plan;
- appointing a senior manager to lead and sponsor the initiatives;
- obtaining the involvement of all senior managers in the execution of the Risk Management plan.
The organization’s board should define, document and approve its policy for managing risk, including objectives and a statement of commitment to Risk Management. The policy may include:
- the objectives and rationale for managing risk;
- the links between the policy and the organization’s strategic plans;
- the extent and types of risk the organization will take and the ways it will balance threats and opportunities;
- the processes to be used to manage risk;
- accountabilities for managing particular risks;
- details of the support and expertise available to assist those involved in managing risks;
- a statement on how Risk Management performance will be measured and reported;
- a commitment to the periodic review of the Risk Management system;
- a statement of commitment to the policy by directors and the organization’s executive.
Publishing and communicating a policy statement of this type demonstrates to the organization’s internal and external environment the commitment of the executive board to Risk Management and clearly specifies roles and accountability on a personal level.
The directors and senior executives must be ultimately responsible for managing risk in the organization. All personnel are responsible for managing risks in their areas of control. This may be facilitated by:
- specifying those accountable for the management of particular risks, for implementing treatment strategies and for the maintenance of controls;
- establishing performance measurement and reporting processes;
- ensuring appropriate levels of recognition, reward, approval and sanction.
As it becomes apparent, the actual implementation of security measurements for the underlying IT platform is not part of this activity. Rather, the implementation of action plans is concerned with the actions to be performed to reduce the identified risks. The work necessary at the level of the technical implementation of security measures is conducted within the ISMS, that is, outside the Risk Management process.
Last but not least, an important responsibility of the top management is to identify requirements and allocate necessary resources for Risk Management. This should include people and skills, processes and procedures, information systems and databases, money and other resources for specific risk treatment activities. The Risk Management plan should also specify how the Risk Management skills of managers and staff will be developed and maintained.
The integration of the Risk Management process with other operational and product processes is fundamental. ENISA plans to elaborate on this issue in the medium term based on examples with de facto process standards, such as example ITIL.
Residual risk is a risk that remains after Risk Management options have been identified and action plans have been implemented. It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.
It is important for the organizations management and all other decision makers to be well informed about the nature and extent of the residual risk. For this purpose, residual risks should always be documented and subjected to regular monitor-and-review procedures.