Understanding Risk and Responding Effectively
We also have this information in video format.
Can I eliminate risk?
Not really. There's always going to be some inherent risk in everything we do. But there are different responses that you can take to reduce that risk. For instance, you can mitigate the risk by putting appropriate controls and safeguards in place to decrease the impact of that risk.
For example, seatbelts on the car. You know that you know there's a possibility that you may get into a car accident. A seat belt helps mitigate the damage that you would have in that accident.
There is also a risk transference. Which is having someone else assume the responsibility and liability for that risk. A good example of that is insurance. In the event of that car accident, you don't have to deal with the burdens of paying for all that yourself. You've got a third party, your insurance company, who will come in and pay the bill for you. You still have to pay for them, but again, the full financial risk isn't on you as an individual.
There's also a risk deterrence which is enacting enough safeguards to try to prevent that risk from happening.
Risk avoidance is basically just looking at a completely alternative approach. You're worried about the risk of being in a car accident, so you choose not to drive a car. Ever.
Then there's risk acceptance. That is looking at the risk, the costs, whether it's possible to avoid, if it can be transferred, and deciding there's nothing you can do about it.
And lastly, there is risk rejection, that is, choosing to do nothing about the risk. Risk rejection usually constitutes gross negligence and is a violation of due care and due diligence. Risk rejection is not a valid risk response when dealing with cyber issues.
One of the common misconceptions about risks is that identifying risks is scary, so you ignore them. However, once you identify that risks are there, then you can plan for them, and you can plan to mitigate them.
So, can you eliminate risk? No, but not all risks are inherently bad. There's always going to be some degree of risk in everything that we do and how businesses operate. It's important for businesses to understand those risks and to respond to them effectively.
Contact us if you have concerns about the cyber risks for your organization.