The organisation can respond to risk in a number of ways, including:
- Transfer part of the risk elsewhere; for example by buying insurance or reinsurance.
- Treat or mitigate the risk; ie reduce the likelihood and / or impact of it.
- Accept or tolerate the current level of risk, where risk is already at a level that is within appetite. It may also sometimes be appropriate to accept the current level of risk where the cost of mitigating it is disproportionate to the benefits to be gained by doing so.
- Eliminate or terminate; for example by exiting a class of business altogether.
When determining the appropriateness of risk responses the following should be considered:
- The feasibility and relative costs (direct, indirect and opportunity) and benefits of alternative risk response options, the cost to design and implement a new control, and the ongoing cost of operating the control.
- How to ensure responses are based on a comprehensive understanding of risk and its components, particularly the causes of risk to ensure that they are addressed.
- How risk events and their controls interact with one another. In determining the most appropriate response a portfolio view of risk and control can enable management to determine whether the organisation's overall level of risk is commensurate with its risk appetite.
- Whether risks that cannot be controlled to within acceptable levels should be avoided, or contingency plans developed.
Action plans are typically developed and implemented to address unacceptable levels of risk and / or remediation of control weaknesses.
The organisation should consider how the assurance processes can ensure the effective operation of controls and the implementation of action plans.
