A round dozen risk treatment options
I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks:
- Acceptance: living with the risk, hoping that it doesn't materialise;
- Avoidance: steering well clear of, or stopping, risky activities;
- Mitigation: reducing the probability and/or impact of incidents using various types of control;
- Sharing: with others, such as business partners, insurers and communities.However, it occurs to me that a further eight
risk treatment approaches are possible, whether you
consider them alternatives, variants or complementary: -
Procrastination: delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective incident management, potentially even more important than accuracy: it's not ideal to freeze like a bunny in the headlights, paralysed by fear or tugged in different directions by indecision;
-
Optimisation: finding the most cost-effective balance between the expenses involved in risk reduction and those incurred
through incidents arising. This may be a genuine and valuable part of risk treatment but is potentially just another excuse for procrastination since it involves yet more analysis;
-
Transfer: holding some third party wholly
accountable for any incidents caused if specific risks eventuate. This is an extreme form of risk sharing where the organisation’s residual risks (such as the third party successfully denying complete accountability) are considered negligible, a potentially risky approach to risk management!
-
Denial: challenging the very existence or significance of risk, perhaps dismissively denying all responsibility for it, may reflect an overtly cynical perspective … but it should not be surprising, given that people are naturally reluctant to accept responsibility for matters that are not entirely within their
control, particularly given the inherent uncertainties of risk. As with risk transfer, this emphasises the value of accountability and the associated controls;
-
Concealment: actively downplaying or hiding the presence of risks, for example by diverting attention to other matters while keeping active threats, vulnerabilities, incidents and impacts confidential. This could be seen as a way to mitigate further information risks resulting from disclosure of the risk, such as increasing the likelihood of exploitation by revealing vulnerabilities and potential impacts to threat agents (hackers, fraudsters and competitors, for instance). It may also, obviously enough, be an attempt to avoid adverse consequences such as bad publicity, increased regulatory oversight and penalties;
-
Reaction: dynamically dealing with incidents according to the circumstances, for instance recognising that risk treatments are not working out as planned and reconsidering, perhaps revisiting the risk
evaluation and treatment decisions, strengthening or supplementing the controls. This is a form of contingency management i.e. decisions and future actions are contingent (depend) upon what has happened or is happening. Whether subsequent risk analysis and decisions are part of the original effort or separate is of no consequence: the point is that risk decisions can (sometimes) be revised, and monitoring outcomes can be an important part of the risk management process;
-
Retreat/retrenchment: just as a snail shrinks into its shell when touched, incident response planning may involve ‘going dark’, ‘lifting the drawbridge’ or ‘battening down the hatches’ when under attack – historical phrases suggesting a time-honoured approach to pulling back from a fight to strengthen a defensive position. Disconnecting or isolating systems from the network is a modern equivalent;
- Retribution: attacking-the-attackers may seem an attractive option for some, tempting managers who believe their organisation to be highly competent and easily capable of hitting back, or those that find themselves being driven into a dark corner, becoming ever more desperate. This is far from straightforward however, a highly risky strategy, definitely not something to leap headlong into ... which means it may be worth talking through ahead of time.