Controlling risk

Now that we have identified risk - how do we control it? How do we know what risks should be addressed and what should not be addressed?

There are four main strategies for controlling risk...

1. Avoid - Do not engage in the activity that incurs risk or create an environment where there is no risk for the activity.
2. Reduce or mitigate - Develop controls to reduce the risk to an acceptable level.
3. Transfer- Move the risk to another entity, for example, outsourced vendor.
4. Accept - Choose to not address the risk based on completion of due diligence.

What helps an organization understand which strategy to use? Ultimately feasibility and cost benefit analysis tools will create the picture for an organization to weigh the strategy to pursue. For example, if the cost is too high in comparison to the benefit maybe this risk is a candidate for acceptance or mitigation strategy.

There are several standard methodologies for risk management and risk control. These include templates and tools for calculating risk.

Delphi - http://www.projectsmart.co.uk/delphi-technique-a-step-by-step-guide.html

OCTAVE - http://www.cert.org/octave/

Microsoft - http://technet.microsoft.com/en-us/library/cc163143.aspx

FAIR - http://fairwiki.riskmanagementinsight.com/