Chapter 112 · Security Program Management

Risk Management Strategies

The five organizational responses to identified risk — transfer, accept, accept with exemption, accept with exception, avoid, and mitigate — plus risk reporting as the mechanism for communicating risk status to organizational leadership.

Confidential
Report ID: RMS-2024-001Domain: Security Program ManagementTopic: Risk Transfer & Risk Acceptance

Risk Transfer and Risk Acceptance

After identifying and analyzing risks, organizations must decide how to respond to each one. No organization can eliminate all risk, and attempting to do so would consume infinite resources. The goal of risk management strategy is to reduce risk to an acceptable level through the most appropriate response for each identified risk.

Risk Transfer

Risk transfer involves shifting financial responsibility for a risk to another party. The organization still faces the underlying threat, but another entity bears the financial consequences if the risk is realized.

Risk Acceptance

Risk acceptance occurs when an organization deliberately decides to tolerate a risk without implementing additional controls beyond what is already in place. This is the most common risk management decision because organizations face more risks than they can fully mitigate.

Risk transfer = shift financial consequences to another party (insurance, outsourcing). Risk acceptance = deliberate, documented decision to tolerate the risk. Acceptance is the most common strategy. Transfer does not prevent the incident; it funds recovery.
Confidential
Report ID: RMS-2024-002Domain: Security Program ManagementTopic: Exemptions, Exceptions, Risk Avoidance & Mitigation

Exemptions, Exceptions, Risk Avoidance, and Risk Mitigation

Accepting Risk with an Exemption

An exemption applies when a security policy or regulatory requirement cannot be followed due to practical limitations. The organization acknowledges the gap and formally documents that a specific requirement does not apply to a specific situation, with management approval.

Accepting Risk with an Exception

An exception applies when internal security policies are temporarily or specifically not followed due to operational conflict. Unlike an exemption (where compliance is impossible), an exception is a temporary or specific deviation where compliance is possible but creates an operational problem.

Risk Avoidance

Risk avoidance eliminates the risk entirely by stopping the activity that creates the risk. When a risk is avoided, there is no need for additional controls because the threat is completely removed.

Risk Mitigation

Risk mitigation reduces the likelihood or impact of a threat without completely eliminating it. Mitigation is the most common strategy used in practice because most organizations must continue operating in environments where complete risk avoidance is not possible.

StrategyActionRisk Eliminated?Example
TransferShift financial consequences to another partyNo (threat remains)Cybersecurity insurance
AcceptDeliberately tolerate the riskNo (risk acknowledged)Old hardware not replaced
ExemptionPolicy cannot be applied; formal documented exceptionNo (residual risk accepted)Unpatched manufacturing equipment
ExceptionTemporary deviation from policy due to operational conflictNo (temporary deviation)Delayed patching due to software crash
AvoidStop the activity that creates the riskYes (risk removed)Retire vulnerable application
MitigateImplement controls to reduce likelihood or impactNo (risk reduced, not eliminated)Install NGFW, implement MFA
Avoid = only strategy that eliminates risk completely (but may limit operations). Mitigate = most common strategy (reduce risk to acceptable level). Exemption = policy cannot be applied. Exception = temporary deviation with operational justification. Transfer = insurance pays; threat still exists.
Confidential
Report ID: RMS-2024-003Domain: Security Program ManagementTopic: Risk Reporting

Risk Reporting

Purpose of Risk Reporting

Risk reporting is the formal communication of identified risks, their status, and recommended actions to organizational leadership. It bridges the gap between the technical security team's risk analysis and the business decisions that senior leadership must make about resources, priorities, and risk acceptance.

Risk Report Content

A formal risk report typically includes:

Critical and Emerging Risks

Risk reports commonly emphasize two categories of special concern:

Risk report audience = senior management and executives who make budget and priority decisions. Always includes critical risks (highest severity) and emerging risks (newly identified). Translates technical findings into business impact terms that enable informed decision-making.