This chapter marks the beginning of Domain 3: Risk Response and Reporting for CRISC. This domain represents 32 percent (approximately 48 questions) of the revised CRISC exam. As a reminder, Domain 2 of the CRISC exam and the material we learned until Chapter 9, Business Impact Analysis, and Inherent and Residual Risk, focused on IT risk assessment, which relates to IT risk analysis and assessment. This and the following three chapters focus on risk response, control design and implementation, and risk monitoring and reporting.

The aim of this chapter is to introduce the concepts of risk response and monitoring and risk and control ownership, take a deeper dive into the risk response strategies – mitigate/accept/transfer/avoid – and ultimately learn about risk optimization.

In this chapter, we will cover the following topics:

• Risk response and monitoring
• Risk owners and control owners
• Risk response strategies
...

In the last few chapters, we looked at the best practices for performing risk identification and the best practices for risk assessment. In this and the upcoming chapters, we will learn about the various practices of risk response. The following diagram illustrates the IT risk management life cycle.

Figure 10.1 – IT risk management life cycle

There can be multiple responses to a risk; however, the job of the risk manager is to assess each of the responses with respect to the budget, time, external regulatory factors, and any disruptions to the current services and identify the response that would most optimize the risk for available resources at the time. The risk manager should then propose these responses to management and relevant stakeholders to obtain buy-in and implement the agreed controls in a reasonable timeframe.

It is important for an organization to monitor the implemented solution over time to confirm...

In the previous chapters, we learned about various methods for performing a risk assessment and the importance of having a risk register to catalog all organizational risks in one place. An extremely important part of the risk catalog is having an owner for each of the identified risks to ensure the accountability of these risks is considered and a dedicated individual can be reached to approve the risk response strategy.

In the absence of a risk owner, the organization will have a difficult time finding the accountable individual responsible for risk treatment and the risks may go unnoticed. The risk owner should be a manager or a member of the executive committee that is relevant to the identified risks so that they can provide the budget and mandate the risk response based on the risk practitioner’s guidance.

Similarly, each risk should have a single risk owner who can speak with authority on the risk response and attest true accountability...

Risk response or risk treatment is a set of actions that are taken to manage the risk. This is the process of the selection and implementation of measures to optimize risk. The following are the four different ways to respond to a risk:

• Mitigate: Risk mitigation is the management of risk through the implementation of countermeasures and controls. The risk practitioner must always keep in mind that the cost of mitigating a risk should be less than the effective risk. The objective of risk mitigation is not to terminate the risk but to bring it down to an acceptable level. The following are a few examples of risk mitigation:
  • Installing anti-malware software to reduce the risk of malware
  • Performing regular backups to reduce the risk of data loss
  • Updating/patching the systems periodically to reduce the risk of running vulnerable software
  • Documenting and testing incident response, business continuity, and contingency plans to ensure the right individuals are...

Over the last few chapters, we learned that all risks are not the same and different risks demand different risk responses. That said, the goal of all risk responses is to optimize the risk as much as possible. In some cases, the risk responses are immediately apparent; however, other risks require detailed analysis to provide a response that is best aligned with the organization’s goals and business objectives. An organization can choose a risk response based on the following factors:

• Risk category (critical/high/medium/low)
• The cost of associated risks
• The cost of risk response, such as the cost of implementing controls or insurance premium
• The availability of controls
• Available skillsets
• The complexity of implementing controls
• Resources and budgeting
• The alignment of the risk response with organizational strategy
• Compatibility with current controls
• Contractual requirements
• Legal and regulatory requirements
...

At the beginning of this chapter, we learned about the importance of risk response and monitoring. We then learned about the roles of risk owners and control owners. It is important for the risk manager to be aware of this ownership of risks and controls to take action on them and define the relevant response strategy. The next section then covered the risk response strategies – mitigation, acceptance, transfer/share, and avoid – that a risk manager can use to respond to a risk. We also noted that the goal of risk response is not to remove the risk altogether but to optimize it and use it as an opportunity instead. We then learned about the factors that the risk manager and the management team must consider before proceeding with a risk response that includes a cost-benefit analysis and thorough diligence on return on investment.

In the next chapter, we will learn about third-party risk management.

1. The primary reason for having a risk owner is to:
   1. Leverage their resources
   2. Ensure accountability
   3. Provide flexibility
   4. Seek assistance
2. Which of the following is not a risk response strategy?
   1. Accept
   2. Transfer
   3. Treat
   4. Mitigate
3. A risk manager determines that the primary controls for a risk are not sufficient and hence decides to implement a compensating set of controls. This is an example of:
   1. Risk mitigation
   2. Risk acceptance
   3. Risk sharing
   4. Risk avoidance
4. Senior management has decided to buy insurance for an earthquake-prone site. This is an example of:
   1. Risk mitigation
   2. Risk acceptance
   3. Risk sharing
   4. Risk avoidance
5. A risk manager proposes that management terminates onboarding a new tool as it does not adapt itself well to the organization’s changing requirements. This is an example of:
   1. Risk mitigation
   2. Risk acceptance
   3. Risk sharing
   4. Risk avoidance
6. An organization decides to allow all employees to work remotely for a brief period of time due to geographical risks. This is...

1. B. The risk owner for a particular risk drives accountability in remediation.
2. C. Risk response and treat are often used interchangeably but the latter is not a risk response strategy in itself.
3. A. Implementing additional controls is an example of risk mitigation.
4. C. The senior management has decided to share the risk with the insurance company.
5. D. The risk manager has proposed to terminate the onboarding project and hence proposed a risk avoidance response.
6. B. The organization allowing employees to work remotely is an example of them accepting the risk of work-from-home arrangements.