all right, we move from risk identification to risk assessment,
and now we're gonna look at risk response in mitigation.
So this is the third step of the life cycle, and this is where we actually try to address risk.
And you can say that the key purpose of this function is to reduce residual risk to a degree that's acceptable by senior management. Okay, so when we say, like we always do alignment with business objectives, senior management has a risk appetite, and they have levels of
tolerance with individual risks
so that what we want to do is we want to examine the existing risk
versus what management's acceptable level is. And we want to respond with a series of mitigating controls that will lesson lesson lesson the risk until it falls within the realm of what's acceptable.
So when we do that, we have four primary solutions or four primary choices. We have risk mitigation.
We have risk avoidance, risk, transference and risk acceptance. So when we look into these options, let's take a look first at risk mitigation.
Now, risk mitigation is sometimes referred to his risk reduction, and the whole purpose of risk mitigation is to lessen the probability end or impact of a risk. This first bullet point says the frequency frequency probability remaining the same thing, right?
So we're taking II can't lessen the probability of rain.
But if I taken umbrella, I can lessen its impact, right? So in that case, I'm mitigating a risk. Or maybe I can't lessen the impact that malware would have on a system. But I can lessen the frequency with which that system is impacted by having any malware software.
So both of those air strategies for risk mitigation
so we can mitigate through
Ah very Siri's of controls, they could be technical controls. We'll talk later about a balanced response, but you know, we can mitigate risk through processes and procedures. We can mitigate risk through encryption and firewalls. We can mitigate risk through locking our doors and having a security guard.
So there are lots of different ways that we can approach, lessening the amount of risk to which were exposed.
Don't make the mistake of going into this again with just that high in sort of technical thought process.
A good administrative policy, like on boarding procedures, can salt or can prevent a ton of risks, and it's much cheaper to prevent than correct. So don't underestimate the importance of administrative controls and, uh, physical controls in addition to technical
controls as well.
Now, the thing about risk mitigation,
so we're gonna lesson either probability, frequency or impact
Well, if I can lessen either one of those or both, all the way down to zero would have really done is I've avoided the risk,
You know, if if I could bring the probability of it, a risk of it down to zero, well, there's no risk any longer. Or if I can lessen the impact
So with risk avoidance, that's what's what we're doing now. We don't talk in terms of eliminating risks, right? We can't eliminate risks, but there are particular risks that we can avoid.
Right? I am, Um,
honestly, I don't feel like we can secure a guest wireless network to a degree
that I feel comfortable having one or offering that service. So we just don't We have avoided the risk, right? I'm just not gonna offer that as a service.
I'm concerned with opening up a location in an area of political upheaval.
Well, I do some research, and I say it's just not worth it.
And usually when you get to risk avoidance, that's kind of what you're doing is, is you're you're choosing another option because the risks associated with one solution are just so high.
So with risk reduction, we're lessening probability, indoor impact,
and if we're able to lessen either of those all the way down to zero, then we've avoided the risk.