Editing Risk management (section)

==Risk options==
Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are:

# Design a new business process with adequate built-in risk control and containment measures from the start.
# Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.
# Transfer risks to an external agency (e.g. an insurance company)
# Avoid risks altogether (e.g. by closing down a particular high-risk business area)

Later research<ref>{{cite web|title=CRISC Exam Questions|url=https://www.dumpsbook.com/Exam/CRISC|access-date= 23 Feb 2018}}</ref> has shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment is performed.

In business it is imperative to be able to present the findings of risk assessments in financial, market, or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial terms. The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. The formula proposes calculation of ALE (annualized loss expectancy) and compares the expected loss value to the security control implementation costs ([[cost–benefit analysis]]).

===Potential risk treatments===
Planning for risk management uses four essential techniques. Under the acceptance technique, the business intentionally assumes risks without financial protections in the hopes that possible gains will exceed prospective losses. The transfer approach shields the business from losses by shifting risks to a third party, frequently in exchange for a fee, while the third-party benefits from the project. By choosing not to participate in high-risk ventures, the avoidance strategy avoids losses but also loses out on possibilities. Last but not least, the reduction approach lowers risks by implementing strategies like insurance, which provides protection for a variety of asset classes and guarantees reimbursement in the event of losses.<ref>{{Cite journal |last=Baldzhy |first=Maryna |date=2023-12-25 |title=Risk Management Strategies in the Global Business Environment: Analysis of Complex Dependencies and Effectiveness of Measures |url=http://ndpublisher.in/admin/issues/EAv68n5t.pdf |journal=Economic Affairs |volume=68 |issue=4 |doi=10.46852/0424-2513.4.2023.20}}</ref>

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:<ref>{{cite book |last=Dorfman|first=Mark S. |title=Introduction to Risk Management and Insurance|edition=9 |publisher=Prentice Hall |location=Englewood Cliffs, N.J |year=2007 |isbn=978-0-13-224227-1 }}</ref>

* Avoidance (eliminate, withdraw from or not become involved)
* Reduction (optimize – mitigate)
* Sharing (transfer – outsource or insure)
* Retention (accept and budget)

Ideal use of these [[risk control strategies]] may not be possible.  Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Another source, from the US Department of Defense (see link), [[Defense Acquisition University]], calls these categories ACAT, for Avoid, Control, Accept, or Transfer.  This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.

Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.

====Risk avoidance====
This includes not performing an activity that could present risk. Refusing to purchase a [[Real property|property]] or business to avoid [[legal liability]] is one such example. Avoiding [[airplane]] flights for fear of [[Aircraft hijacking|hijacking]].  Avoidance may seem like the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk conditions, in favor of patients presenting with lower risk.<ref>{{cite journal|last=McGivern|first=Gerry|author2=Fischer, Michael D.|title=Reactivity and reactions to regulatory transparency in medicine, psychotherapy and counseling|journal=Social Science & Medicine|date=1 February 2012|volume=74|issue=3|pages=289–296|doi=10.1016/j.socscimed.2011.09.035|pmid=22104085|url=http://eureka.sbs.ox.ac.uk/4314/1/McGivern_G___Fischer_M_D__%282012%29_Reactivity_and_Reactions_to_Regulatory_Transparency_in_Medicine_Psychotherapy_and_Counselling_%28Authors%27_version%29.pdf|access-date=20 April 2018|archive-date=21 April 2018|archive-url=https://web.archive.org/web/20180421032113/http://eureka.sbs.ox.ac.uk/4314/1/McGivern_G___Fischer_M_D__%282012%29_Reactivity_and_Reactions_to_Regulatory_Transparency_in_Medicine_Psychotherapy_and_Counselling_%28Authors%27_version%29.pdf|url-status=dead}}</ref>

====Risk reduction====
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, [[Fire sprinkler|sprinkler]]s are designed to put out a [[fire]] to reduce the risk of loss by fire.  This method may cause a greater loss by water damage and therefore may not be suitable. [[Halomethane|Halon]] fire suppression systems may mitigate that risk, but the cost may be prohibitive as a [[strategy]].

Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By effectively applying [[Health, Safety and Environment]] (HSE) management standards, organizations can achieve tolerable levels of [[residual risk]].<ref>[https://www.iadc.org/ebookstore/ebook-iadc-hse-case-guidelines-for-mobile-offshore-drilling-units/ IADC HSE Case Guidelines for Mobile Offshore Drilling Units] {{Webarchive|url=https://web.archive.org/web/20170503072112/http://www.iadc.org/ebookstore/ebook-iadc-hse-case-guidelines-for-mobile-offshore-drilling-units/ |date=2017-05-03 }} 3.2, section 4.7</ref>

Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.

[[Outsourcing]] could be an example of risk sharing strategy if the outsourcer can demonstrate higher capability at managing or reducing risks.<ref>{{cite journal|last=Roehrig|first=P|year=2006|url=http://www.btquarterly.com/?mc=bet-governance&page=ss-viewresearch|title=Bet On Governance To Manage Outsourcing Risk|journal=Business Trends Quarterly|access-date=2007-09-07|archive-date=2018-09-01|archive-url=https://web.archive.org/web/20180901182553/http://www.btquarterly.com/?mc=bet-governance&page=ss-viewresearch|url-status=dead}}</ref> For example, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the business management itself. This way, the company can concentrate more on business development without having to worry as much about the manufacturing process, managing the development team, or finding a physical location for a center. Also, implanting controls can also be an option in reducing risk. Controls that either detect causes of unwanted events prior to the consequences occurring during use of the product, or detection of the root causes of unwanted failures that the team can then avoid. Controls may focus on management or decision-making processes. All these may help to make better decisions concerning risk.<ref>{{Cite journal |last1=Shashi |last2=Centobelli |first2=Piera |last3=Cerchione |first3=Roberto |last4=Ertz |first4=Myriam |title=Managing supply chain resilience to pursue business and environmental strategies |url=https://onlinelibrary.wiley.com/doi/10.1002/bse.2428 |journal=Business Strategy and the Environment |year=2020 |language=en |volume=29 |issue=3 |pages=1215–1246 |doi=10.1002/bse.2428 |bibcode=2020BSEnv..29.1215S |s2cid=213432044 |issn=0964-4733}}</ref>

====Risk sharing====
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk, and the measures to reduce a risk."

The term 'risk transfer' is often used in place of risk-sharing in the mistaken belief that you can transfer a risk to a third party through insurance or outsourcing. In practice, if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such, in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often described as a "transfer of risk." However, technically speaking, the buyer of the contract generally retains legal responsibility for the losses "transferred", meaning that insurance may be described more accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy does not transfer the risk of a car accident to the insurance company. The risk still lies with the policyholder namely the person who has been in the accident. The insurance policy simply provides that if an accident (the event) occurs involving the policyholder then some compensation may be payable to the policyholder that is commensurate with the suffering/damage.

Methods of managing risk fall into multiple categories. Risk-retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group upfront, but instead, losses are assessed to all members of the group.

====Risk retention====
Risk retention involves accepting the loss, or benefit of gain, from a risk when the incident occurs.  True [[self-insurance]] falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that either they cannot be insured against or the premiums would be infeasible. [[War]] is an example since most property and risks are not insured against war, so the loss attributed to war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk.  This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great that it would hinder the goals of the organization too much.

===Risk management plan===
{{Main|Risk management plan}}

Select appropriate controls or countermeasures to mitigate each risk. Risk mitigation needs to be approved by the appropriate level of management. For instance, a risk concerning the image of the organization should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for managing the risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. There are four basic steps of risk management plan, which are threat assessment, vulnerability assessment, impact assessment and risk mitigation strategy development.<ref>{{Cite book |last=Snedaker |first=Susan |url=https://www.worldcat.org/oclc/858657442 |title=Business continuity and disaster recovery planning for IT professionals |date=2014 |publisher=Syngress |others=Chris Rima |isbn=978-1-299-85332-4 |edition=2nd |location=Waltham, MA |oclc=858657442}}</ref>

According to [[ISO/IEC 27001]], the stage immediately after completion of the [[risk assessment]] phase consists of preparing a Risk Treatment Plan, which should document the decisions about how each of the identified risks should be handled. Mitigation of risks often means selection of [[security controls]], which should be documented in a Statement of Applicability, which identifies which particular control objectives and controls from the 
standard have been selected, and why.

===Implementation===
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase insurance policies for the risks that it has been decided to transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.

===Review and evaluation of the plan===
Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

[[Risk analysis (business)|Risk analysis]] results and management plans should be updated periodically. There are two primary reasons for this: 
# to evaluate whether the previously selected security controls are still applicable and effective
# to evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.