Governance & Risk Management , Leadership & Executive Communication , Risk Assessments
The Fifth Option in Risk Treatment
Book Excerpt: Peter Gregory on Ignoring the RiskFor decades, risk management frameworks have cited the same four risk treatment options: accept, mitigate, transfer and avoid. There is, however, a fifth option that some organizations select: Ignore the risk.
See Also: How Active Directory Security Drives Operational Resilience
Ignoring a risk situation is a choice, although it is not considered a wise choice. Ignoring a risk means doing nothing about it, not even making a decision about it. It amounts to little more than pretending the risk does not exist. It’s off the books. It is not even added to a risk register for consideration, but it represents a risk situation nonetheless.
In some cases, such as for minimal risk items, this may be perfectly acceptable. The theft of a paper clip may simply be too small for consideration for a risk register. It would probably be wise to leave this off of a risk register unless there is a specific reason to add it. In some cases, listing minimal risk is very critical because compliance requirements dictate that specific risks be considered in risk evaluations. Developing the right level of detail for a risk register requires experience, listening to an organization’s culture and striking the right balance.
Without a systematic framework for identifying risks, many are likely to go undiscovered.
Organizations without risk management programs may implicitly ignore all risks, or many of them at least. Organizations might also be practicing informal and maybe even reckless risk management - risk management by gut feel. Without a systematic framework for identifying risks, many are likely to go undiscovered. This practice could also be considered as ignoring risks through the implicit refusal to identify them and treat them properly.
Note that ignoring risk, particularly when governance requires that you manage it, is usually a violation of the principles of due diligence and due care. Many organizations can be legally charged with "willful negligence" if they have a duty to manage risk, and they simply don’t.
—Excerpt from "CRISC Certified in Risk and Information Systems Control All-In-One Exam Guide," ©McGraw Hill. Used with permission.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Peter H. Gregory is a career IT engineer turned security leader. He is responsible for risk management, privacy, data governance, business resilience and third-party risk management in a telecommunications provider. As the author of over 40 books on information security and privacy, Gregory serves on advisory boards for continuing cybersecurity education for the University of Washington and the University of South Florida. He resides in central Washington state.