An Introduction To
Risk treatment is the process of selecting and implementing measures to modify the risk.
Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.
Any system of risk treatment should provide as a minimum:
· effective and efficient operation of the organisation
· effective internal controls
· compliance with laws and regulations.
The risk analysis process assists the effective and efficient operation of the organisation by identifying those risks which require attention by management.
They will need to prioritise risk control actions in terms of their potential to benefit the organisation.
Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures.
Cost effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits expected.
The proposed controls need to be measured in terms of potential economic effect, i.e. if no action is taken versus the cost of the proposed action(s). This invariably requires more detailed information and assumptions than are immediately available.
Firstly, the cost of implementation has to be established. This has to be calculated with some accuracy since it quickly becomes the baseline against which cost effectiveness is measured. The loss to be expected if no action is taken must also be estimated and by comparing the results, management can decide whether or not to implement the risk control measures.
Compliance with laws and regulations is not an option.
An organisation must understand the applicable laws and must implement a system of controls to achieve compliance. There is only occasionally some flexibility where the cost of reducing a risk may be totally disproportionate to that risk. One method of obtaining financial protection against the impact of risks is through risk financing which includes insurance.
However, it should be recognised that some losses or elements of a loss will be uninsurable e.g. the uninsured costs associated with work-related health, safety or environmental incidents, which may include damage to employee morale and the organisation's reputation.
The Security Practitioner
An Introduction to Information Security