This is not a new post, I originally wrote and published it nearly six years ago. However, based on a number of discussions I have been party to over the last few weeks, not much has changed since it was published so I thought I would repost it as a prologue for a new series of blog posts about risk, risk assessment and risk management.
One common misconception of risk management that I have come up against time and time again is that by managing a risk it has been eliminated and can be closed and removed from the risk register. This is simply not the case as risks can evolve and change over time for any number of reasons.
One of the biggest challenges of risk management is for the risk owner (usually the business owner of the information or process) to select an appropriate risk response so that a risk is brought in line with their risk appetite. This can be achieved by selecting one or more of the following risk response options:
- Avoid – stop the activity giving rise to the risk;
- Treat – implement controls to reduce the likelihood and/or impact;
- Transfer – transfer or share all or part of the impact;
- Accept – accept the current level of risk.
Any of these risk responses may be appropriate for a given risk scenario. However, only one will eliminate the risk – risk avoidance (sometimes referred to as risk termination or elimination). All of the other options require the risk to be monitored and reviewed on a regular basis to ensure that the risk does not increase over time. As a result, they should not be removed from the risk register.
Experience has taught me that very few organisations are willing to cease the activity introducing a risk and nor should they be, after all it is impossible to seize an opportunity without taking risks. However, to take full advantage of an opportunity it is important to manage those risks and by not monitoring risks that have been treated, transferred or accepted the business may be taking on more risk that it would tolerate.