Risk responses (such as mitigate, accept, avoid, or transfer) are implemented to address cyber risks, at least in an ad hoc manner
Context and Guidance: Once risks to the function are identified, the organisation should decide how to respond to those risks. Response begins with assigning a risk disposition to each risk or risk category, that is, a statement of the organisation’s intention for addressing the risk. For example, risk mitigation involves taking active steps to minimise the risk; risk transfer is the contractual shifting of a risk from one party to another through a contract, such as through an insurance policy, a liability waiver with a client, or an indemnification agreement with a supplier. Risk responses should be developed as part of the risk management strategy. Risk responses can vary widely across organisations but typically include: • risk avoidance—altering operations to avoid the risk while still providing the essential service • risk acceptance—acknowledgment of the risk but consciously not taking any action (in essence, accepting the potential consequences of the risk) • risk transfer—assigning the risk to a willing and able entity • risk mitigation—taking active steps to minimise the risk • risk monitoring—performing further research and deferring action on the risk until the need to address the risk is apparent Organisational risk response selection processes should clarify that it is not necessary to mitigate every identified risk. Risk avoidance, acceptance, or transfer should be considered in addition to mitigation.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-4a, RISK-4b, RISK-4e.