CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
all right. Other options of dealing with laws maybe to share the risk or risk transferred says it's often referred to. Now. There are a couple of things that are important to understand with risk trance firms.
00:14
First of all, by transferring a risk, you're really not necessarily guaranteeing
00:19
a reduction in the probability or impact of the risk event.
00:24
So what I mean by that is, if I buy a fire insurance for my house, my house is less just every bit is likely to catch on fire. Even though I've bought insurance, right, That doesn't matter.
00:36
And if it does catch on fire, I'm gonna have the same amount of damage to my house, whether I have insurance or not.
00:44
So what risk transference means is it doesn't mean that you've lesson the probability or impact. What it means is you have, um, you have the potential to share that loss with another entity, right? And that guarantee of share of loss, if you will
01:03
comes to us through the country,
01:03
the contract or the service level agreement.
01:07
So when you look at risk transference, it's about the potential sharing of loss,
01:12
and that's driven by, you know, If you look at cloud service providers, you look 1/3 party vendors. Really? The piece that makes it transference is in the contracts that we saw it
01:23
all right. Now,
01:26
at some point in time, we may find that mitigating the risk or transferring the risk
01:34
is more cost is more effort than it's worth.
01:38
You know what? I'm not gonna spend set of $50 to protect a $20 bill.
01:42
So at some times, we may choose to accept risk
01:47
and risk acceptance can look a couple of different ways. In one instance, risk. Acceptance may just be when you have no choice.
01:55
You know what? We're two weeks behind. I'm just gonna have to accept the risk that we're gonna finish behind. There may be nothing else I can do about it
02:04
other than just go.
02:06
I accept that risk.
02:07
But other times
02:09
when we talk about risk acceptance, usually it's when we talk about choosing to accept a risk. What we're looking at is cost benefit analysis.
02:20
We're going back to those quantitative assessments or sometimes even qualitative assessments that we looked at earlier.
02:25
And we're looking at our potential for loss. If you'll remember probability Times impact gave us the potential for loss.
02:34
And then I measured the potential for laws up against the cost of the countermeasure.
02:38
And if the cost of the countermeasure is greater than my potential for loss, it doesn't make sense
02:45
in order. It doesn't make sense to mitigate right cost more than than what I'm gonna lose. So at that point in time, I may choose to accept the loss or to accept the risk. Rather, um, I will mention that,
03:00
you know, perhaps, um with with something like an earthquake,
03:05
you know, we had an earthquake. I'd only lived in the D C. Area for a couple of months before there was an earthquake in the area. I'm from North Carolina had never been in earthquake before.
03:15
So when that happened,
03:20
you don't call my tension,
03:21
I will tell you that I kind of thought earthquakes were just those things that West Coast people made up to get attention.
03:29
Turns out that's not.
03:30
But ultimately
03:32
what I did, though, is I didn't just go, huh?
03:36
I went out and I did some research, and I looked to see historically how many earthquakes hit the Washington D. C area and it wasn't many.
03:45
And then I said, Well, when they do hit, what's the impact on the impacts traditionally very low for typical businesses?
03:53
And I said, Well, based on the fact that they're very unlikely and even if they do happen,
03:58
there's not much impact.
04:00
It's not worth
04:01
really making a more active plan to deal with earthquakes. I'm not gonna move into a steel reinforced building,
04:09
right. I'm going to simply accept the risk
04:13
now. The problem is, when I choose to accept the risk, I may need to be able to justify that, right, Because if that earthquake happens
04:23
and if my entire business is destroyed and my shareholders come knocking my door going,
04:29
why didn't you protect us?
04:30
Then I need to be able to go back and have a paper trail that says, This is why I made the decisions that I did. Here's the criteria I used. This was a thoughtful, purposeful business decision
04:44
because on the flip side of risk, acceptance is called risk rejection
04:48
and risk rejection essentially looks like a lot of my ma la la la I don't think about it. I don't want to talk about
04:55
now Of course, if that's your management strategy, you're very likely to end up on the wrong side of law liability.
05:01
So the difference between risk acceptance and risk rejection, although they might look the same because you're not really doing anything The differences due diligence with risk acceptance I show due diligence with risk rejection I northern this.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor