2 Treatment options
Options for risk treatment can be wide ranging, from changing the consequences or probability, removing the risk source, changing plans to avoid the risk altogether or accepting the risk (and making provision for it happening). Risk treatment is an iterative process, linking with other parts of the risk management process.
The figure and table that follow will recap some key definitions on the life cycle of a risk.
|Type of risk assessment||Definition|
|Gross (also known as Inherent)||The worst case: the level of risk assuming existing measures (e.g. controls) don’t work as intended.|
|Current||The level of risk faced today. When assessing the current risk level you need to understand: What measures are already in place that reduce the level of risk? How do you know that these measure are working properly?|
|Future||The level of risk you will face in the future; this is commonly referred to as the Residual and Target risk level|
|Residual risk||The level of risk once all risk treatments have been completed. Good practice is to only take into account treatment activities that have been fully funded and resourced, as many companies find that without funding and resource, their best laid plans don’t happen! This leads to a potential further level of risk, the target risk level. This is the level of risk you want to take and is linked to risk appetite.|
So there are potentially four levels (Gross, Current, Residual, Target) of risk that you may wish to assess. Often, however, things are simpler. Consider a few examples.
- Residual risk = Target risk. On many occasions a company will fund all of the necessary treatment activities such that the level of risk faced once all treatment activities are completed will be the same as the level of risk they would wish to take, and therefore their residual risk is the same as their target risk
- Residual risk = Target risk = Current risk. Furthermore, once a company has completed all ‘actions’ to reduce the level of risk, they may find that their current risk level is the same as their residual risk level, which in turn is the same as their target level. Remember, it is not the case that the risk can no longer happen: rather, based on the current controls (and assuming they are working effectively), the agreed level of risk is taken.
There is one further point to highlight, which is as circumstances change so can the risk level. This could be driven by things inside an organisation, as well as factors outside the organisation, it could be that new information is found that changes our view of a risk, or that technology changes change the nature of the risk. It is for this reason that risk assessment should be regularly revisited. Many organisations ensure there are links between their risks, the audit and assurance findings and their incident management processes for precisely this reason, as this gives them clear and early notification if their risk level is changing.