____________ is the initial step of the total process of insuring a health risk.

Identification of Options | Development of Action Plan | Approval of Action Plan | Implementation of Action Plan | Identification of Residual Risks

According to its definition, Risk Treatment is the process of selecting and implementing of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization. At this level, security measurements are verbal descriptions of various security functions that are implemented technically (e.g. Software or Hardware components) or organizationally (e.g. established procedures).

Identification of Options

Having identified and evaluated the risks, the next step involves the identification of alternative appropriate actions for managing these risks, the evaluation and assessment of their results or impact and the specification and implementation of treatment plans.

Since identified risks may have varying impact on the organization, not all risks carry the prospect of loss or damage. Opportunities may also arise from the risk identification process, as types of risk with positive impact or outcomes are identified.

Management or treatment options for risks expected to have positive outcome include:

• starting or continuing an activity likely to create or maintain this positive outcome;
• modifying the likelihood of the risk, to increase possible beneficial outcomes;
• trying to manipulate possible consequences, to increase the expected gains;
• sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains;
• retaining the residual risk.

Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:

• to avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk;
• to modify the likelihood of the risk trying to reduce or eliminate the likelihood of the negative outcomes;
• to try modifying the consequences in a way that will reduce losses;
• to share the risk with other parties facing the same risk (insurance arrangements and organizational structures such as partnerships and joint ventures can be used to spread responsibility and liability); (of course one should always keep in mind that if a risk is shared in whole or in part, the organization is acquiring a new risk, i.e. the risk that the organization to which the initial risk has been transferred may not manage this risk effectively.)
• to retain the risk or its residual risks;

In general, the cost of managing a risk needs to be compared with the benefits obtained or expected. During this process of cost-benefit judgments, the Risk Management context established in the first process (i.e. Definition of Scope and Framework) should be taken into consideration. It is important to consider all direct and indirect costs and benefits whether tangible or intangible and measured in financial or other terms.

More than one option can be considered and adopted either separately or in combination. An example is the effective use of support contracts and specific risk treatments followed by appropriate insurance and other means of risk financing.

In the event that available resources (e.g. the budget) for risk treatment are not sufficient, the Risk Management action plan should set the necessary priorities and clearly identify the order in which individual risk treatment actions should be implemented.

Development of Action Plan

Treatment plans are necessary in order to describe how the chosen options will be implemented. The treatment plans should be comprehensive and should provide all necessary information about:

• proposed actions, priorities or time plans,
• resource requirements,
• roles and responsibilities of all parties involved in the proposed actions,
• performance measures,
• reporting and monitoring requirements.

Action plans should be in line with the values and perceptions of all types of stakeholders (e.g. internal organizational units, outsourcing partner, customers etc.). The better the plans are communicated to the various stakeholders, the easier it will be to obtain the approval of the proposed plans and a commitment to their implementation.

Approval of Action Plan

As with all relevant management processes, initial approval is not sufficient to ensure the effective implementation of the process. Top management support is critical throughout the entire life-cycle of the process. For this reason, it is the responsibility of the Risk Management Process Owner to keep the organization’s executive management continuously and properly informed and updated, through comprehensive and regular reporting

Implementation of Action Plan

The Risk Management plan should define how Risk Management is to be conducted throughout the organization. It must be developed in a way that will ensure that Risk Management is embedded in all the organization’s important practices and business processes so that it will become relevant, effective and efficient.

More specifically, Risk Management should be embedded in the policy development process, in business and strategic planning, and in change management processes. It is also likely to be embedded in other plans and processes such as those for asset management, audit, business continuity, environmental management, fraud control, human resources, investment and project management.

The Risk Management plan may include specific sections for particular functions, areas, projects, activities or processes. These sections may be separate plans but in all cases they should be consistent with the organization’s Risk Management strategy (which includes specific RM policies per risk area or risk category).

The necessary awareness of and commitment to Risk Management at senior management levels throughout the organization is mission critical and should receive close attention by:

• obtaining the active ongoing support of the organization’s directors and senior executives for Risk Management and for the development and implementation of the Risk Management policy and plan;
• appointing a senior manager to lead and sponsor the initiatives;
• obtaining the involvement of all senior managers in the execution of the Risk Management plan.

The organization’s board should define, document and approve its policy for managing risk, including objectives and a statement of commitment to Risk Management. The policy may include:

• the objectives and rationale for managing risk;
• the links between the policy and the organization’s strategic plans;
• the extent and types of risk the organization will take and the ways it will balance threats and opportunities;
• the processes to be used to manage risk;
• accountabilities for managing particular risks;
• details of the support and expertise available to assist those involved in managing risks;
• a statement on how Risk Management performance will be measured and reported;
• a commitment to the periodic review of the Risk Management system;
• a statement of commitment to the policy by directors and the organization’s executive.

Publishing and communicating a policy statement of this type demonstrates to the organization’s internal and external environment the commitment of the executive board to Risk Management and clearly specifies roles and accountability on a personal level.

The directors and senior executives must be ultimately responsible for managing risk in the organization. All personnel are responsible for managing risks in their areas of control. This may be facilitated by:

• specifying those accountable for the management of particular risks, for implementing treatment strategies and for the maintenance of  controls;
• establishing performance measurement and reporting processes;
• ensuring appropriate levels of recognition, reward, approval and sanction.

As it becomes apparent, the actual implementation of security measurements for the underlying IT platform is not part of this activity. Rather, the implementation of action plans is concerned with the actions to be performed to reduce the identified risks. The work necessary at the level of the technical implementation of security measures is conducted within the ISMS, that is, outside the Risk Management process.

Last but not least, an important responsibility of the top management is to identify requirements and allocate necessary resources for Risk Management. This should include people and skills, processes and procedures, information systems and databases, money and other resources for specific risk treatment activities. The Risk Management plan should also specify how the Risk Management skills of managers and staff will be developed and maintained.

Identification of Residual Risks

Residual risk is a risk that remains after Risk Management options have been identified and action plans have been implemented. It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.

It is important for the organizations management and all other decision makers to be well informed about the nature and extent of the residual risk. For this purpose, residual risks should always be documented and subjected to regular monitor-and-review procedures.

Page 2

▲ More topics

▼ More topics

Page 3

Identification of Options | Development of Action Plan | Approval of Action Plan | Implementation of Action Plan | Identification of Residual Risks

According to its definition, Risk Treatment is the process of selecting and implementing of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization. At this level, security measurements are verbal descriptions of various security functions that are implemented technically (e.g. Software or Hardware components) or organizationally (e.g. established procedures).

Identification of Options

Having identified and evaluated the risks, the next step involves the identification of alternative appropriate actions for managing these risks, the evaluation and assessment of their results or impact and the specification and implementation of treatment plans.

Since identified risks may have varying impact on the organization, not all risks carry the prospect of loss or damage. Opportunities may also arise from the risk identification process, as types of risk with positive impact or outcomes are identified.

Management or treatment options for risks expected to have positive outcome include:

• starting or continuing an activity likely to create or maintain this positive outcome;
• modifying the likelihood of the risk, to increase possible beneficial outcomes;
• trying to manipulate possible consequences, to increase the expected gains;
• sharing the risk with other parties that may contribute by providing additional resources which could increase the likelihood of the opportunity or the expected gains;
• retaining the residual risk.

Management options for risks having negative outcomes look similar to those for risks with positive ones, although their interpretation and implications are completely different. Such options or alternatives might be:

• to avoid the risk by deciding to stop, postpone, cancel, divert or continue with an activity that may be the cause for that risk;
• to modify the likelihood of the risk trying to reduce or eliminate the likelihood of the negative outcomes;
• to try modifying the consequences in a way that will reduce losses;
• to share the risk with other parties facing the same risk (insurance arrangements and organizational structures such as partnerships and joint ventures can be used to spread responsibility and liability); (of course one should always keep in mind that if a risk is shared in whole or in part, the organization is acquiring a new risk, i.e. the risk that the organization to which the initial risk has been transferred may not manage this risk effectively.)
• to retain the risk or its residual risks;

In general, the cost of managing a risk needs to be compared with the benefits obtained or expected. During this process of cost-benefit judgments, the Risk Management context established in the first process (i.e. Definition of Scope and Framework) should be taken into consideration. It is important to consider all direct and indirect costs and benefits whether tangible or intangible and measured in financial or other terms.

More than one option can be considered and adopted either separately or in combination. An example is the effective use of support contracts and specific risk treatments followed by appropriate insurance and other means of risk financing.

In the event that available resources (e.g. the budget) for risk treatment are not sufficient, the Risk Management action plan should set the necessary priorities and clearly identify the order in which individual risk treatment actions should be implemented.

Development of Action Plan

Treatment plans are necessary in order to describe how the chosen options will be implemented. The treatment plans should be comprehensive and should provide all necessary information about:

• proposed actions, priorities or time plans,
• resource requirements,
• roles and responsibilities of all parties involved in the proposed actions,
• performance measures,
• reporting and monitoring requirements.

Action plans should be in line with the values and perceptions of all types of stakeholders (e.g. internal organizational units, outsourcing partner, customers etc.). The better the plans are communicated to the various stakeholders, the easier it will be to obtain the approval of the proposed plans and a commitment to their implementation.

Approval of Action Plan

As with all relevant management processes, initial approval is not sufficient to ensure the effective implementation of the process. Top management support is critical throughout the entire life-cycle of the process. For this reason, it is the responsibility of the Risk Management Process Owner to keep the organization’s executive management continuously and properly informed and updated, through comprehensive and regular reporting

Implementation of Action Plan

The Risk Management plan should define how Risk Management is to be conducted throughout the organization. It must be developed in a way that will ensure that Risk Management is embedded in all the organization’s important practices and business processes so that it will become relevant, effective and efficient.

More specifically, Risk Management should be embedded in the policy development process, in business and strategic planning, and in change management processes. It is also likely to be embedded in other plans and processes such as those for asset management, audit, business continuity, environmental management, fraud control, human resources, investment and project management.

The Risk Management plan may include specific sections for particular functions, areas, projects, activities or processes. These sections may be separate plans but in all cases they should be consistent with the organization’s Risk Management strategy (which includes specific RM policies per risk area or risk category).

The necessary awareness of and commitment to Risk Management at senior management levels throughout the organization is mission critical and should receive close attention by:

• obtaining the active ongoing support of the organization’s directors and senior executives for Risk Management and for the development and implementation of the Risk Management policy and plan;
• appointing a senior manager to lead and sponsor the initiatives;
• obtaining the involvement of all senior managers in the execution of the Risk Management plan.

The organization’s board should define, document and approve its policy for managing risk, including objectives and a statement of commitment to Risk Management. The policy may include:

• the objectives and rationale for managing risk;
• the links between the policy and the organization’s strategic plans;
• the extent and types of risk the organization will take and the ways it will balance threats and opportunities;
• the processes to be used to manage risk;
• accountabilities for managing particular risks;
• details of the support and expertise available to assist those involved in managing risks;
• a statement on how Risk Management performance will be measured and reported;
• a commitment to the periodic review of the Risk Management system;
• a statement of commitment to the policy by directors and the organization’s executive.

Publishing and communicating a policy statement of this type demonstrates to the organization’s internal and external environment the commitment of the executive board to Risk Management and clearly specifies roles and accountability on a personal level.

The directors and senior executives must be ultimately responsible for managing risk in the organization. All personnel are responsible for managing risks in their areas of control. This may be facilitated by:

• specifying those accountable for the management of particular risks, for implementing treatment strategies and for the maintenance of  controls;
• establishing performance measurement and reporting processes;
• ensuring appropriate levels of recognition, reward, approval and sanction.

As it becomes apparent, the actual implementation of security measurements for the underlying IT platform is not part of this activity. Rather, the implementation of action plans is concerned with the actions to be performed to reduce the identified risks. The work necessary at the level of the technical implementation of security measures is conducted within the ISMS, that is, outside the Risk Management process.

Last but not least, an important responsibility of the top management is to identify requirements and allocate necessary resources for Risk Management. This should include people and skills, processes and procedures, information systems and databases, money and other resources for specific risk treatment activities. The Risk Management plan should also specify how the Risk Management skills of managers and staff will be developed and maintained.

Identification of Residual Risks

Residual risk is a risk that remains after Risk Management options have been identified and action plans have been implemented. It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.

It is important for the organizations management and all other decision makers to be well informed about the nature and extent of the residual risk. For this purpose, residual risks should always be documented and subjected to regular monitor-and-review procedures.

Page 4

• This report presents the results of desktop research and the analysis of currently used cybersecurity Risk Management (RM) frameworks and methodologies with the potential for interoperability. The identification of the most prominent RM frameworks...

  Published on January 13, 2022

• This report proposes a methodology for assessing the potential interoperability of risk management (RM) frameworks and methodologies and presents related results. The methodology used to evaluate interoperability stemmed from extensive research of...

  Published on January 13, 2022

• Children are the most valuable part of every society, regardless of culture, religion and national origin. Given the rapidly increasing digitalisation of their lives, it seemed important to assess risks related to internet usage and, in particular...

  Published on September 10, 2011

• Cloud computing offers a host of potential benefits to public bodies, including scalability, elasticity, high performance, resilience and security together with cost efficiency. Understanding and managing risks related to the adoption and...

  Published on January 17, 2011

• Published on April 12, 2010

• Published on March 24, 2010

• Published on March 24, 2010

• Published on March 24, 2010

• Published on March 24, 2010

• This is an introductory manual for the ENISA Emerging and Future Risks Framework.

  Published on March 01, 2010

• The purpose of this briefing is to give an introduction to the possibilities offered by behavioural biometrics, as well as their limitations and the main issues of disagreement between experts in the field.

  Published on February 18, 2010

• One of the most important recommendations in the ENISA’s Cloud Computing Risk Assessment report is the Information Assurance Framework, a set of assurance criteria designed to assess the risk of adopting cloud services, compare different Cloud...

  Published on November 20, 2009

• Published on November 20, 2009

• ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud...

  Published on November 20, 2009

• In this page you will find the German version of the report.

  Published on October 01, 2008

• In this page you will find the Spanish version of the report.

  Published on October 01, 2008

• In this page you will find the French version of the report.

  Published on October 01, 2008

• The ENISA Working Group on Privacy & Technology has been established to analyse the problems posed by these technology trends and the implications for the current EU legal framework. The main task of the Working Group is to propose actions to cope...

  Published on October 01, 2008

• Published on February 01, 2008

• Published on February 01, 2007

• Published on February 01, 2007

• Published on February 01, 2007

• Published on February 01, 2007

• Published on February 01, 2007

• Published on June 01, 2006

• Information packages for 2-3 types of organisations to help them in selecting and applying a suitable method for performing and managing information security related risks.

  Published on March 30, 2006

• Published on March 30, 2006