6.1 Introduction to Risk Response and Risk Treatment
After an organization has scanned the environment, identified its risks and analyzed its risks, it must decide on courses of action that must be taken to address the risks that have the potential to affect the organization in either a positive or negative way. The way in which an organization manages its risks is referred to as risk response and risk treatment; it is where the ‘rubber hits the road !’ with respect to addressing risks.
Risk Response
Risk Response is a broad term that is used to describe the approaches that an organization will use to manage its risks. It is a plan to manage risks derived from information that is received after conducting a risk assessment. As we have learned, the ISO 31000:2018 definition of a risk assessment consists of the identification of risks, the analysis of risks and the evaluation of risks. Note that generic definitions of a risk assessment consist of risk identification and risk analysis and do not include the third step of risk evaluation. An organization can identify and analyze its risks using the strategies that are outlined in Chapter 4 and Chapter 5, respectively.
Risk Register & Risk Map
An excellent way to develop a risk response is using a risk register and map. When a risk map is built from a risk register, the organization’s risks are clearly shown in the form of a Risk Matrix. Risks that can potentially affect the organization are placed into quadrants based on the likelihood of the risk occurring and the impact that it has on the organization. This information can be used to develop a risk profile and to evaluate the risks by applying risk criteria to determine the scale and significance of the risks. A risk profile will help an organization understand its risks and the threats that they pose to the organization.
Risk Appetite
Actions taken by the organization to address risks are based on the information contained in the risk profile that is in alignment with the organization’s risk appetite. Risk appetite is the amount of risk that an organization is willing to retain, tolerate or seek in pursuit of its objectives. Organizations that actively take on risks even in the absence of controls have a high-risk tolerance and are described as being Risk aggressive. In comparison, organizations that are reluctant or unwilling to take on risks have a low-risk tolerance and are described as being Risk adverse. There is an upside and a downside to each approach; for example, a risk adverse organization could miss opportunities to move forward with its objectives by not taking on risks. In contrast, a risk aggressive organization is prepared to pursue its objectives by taking on risks in the absence of controls or restrictions, which could either lead to significant gains or losses for the organization. Organizations will often use the concept of risk versus reward as a measurement when taking on risk by positioning risk appetite and tolerance against potential gains or losses.
Risk treatment
Risk treatment describes the specific actions and decisions that an organization will use to modify the upside and the downside of the risks that have been identified and analyzed by the organization. The terms risk treatment and risk control are often used interchangeably as they both modify the likelihood and impact of risks that could advantageously or adversely affect an organization. The subtle difference is that risk treatments are recommended or proposed actions to reduce the likelihood or impact of risks. In contrast, Risk Controls consist of actions that have been taken by the organization to modify the likelihood and impact of risks with the goal of making losses more predictable.
