Risk Acceptance

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> In our previous section,
00:00
we talked about our risk action plan.
00:00
We've looked at the value of the risk,
00:00
we've determined what are our
00:00
responses and how we're going to
00:00
move forward in that risk action plan,
00:00
but let's focus a little bit on
00:00
what those risk options are going to be.
00:00
When we talk about responding to a risk,
00:00
we've got four basic choices.
00:00
We can accept the risk,
00:00
we can mitigate it,
00:00
avoid it or transfer it.
00:00
Now the first risk response that
00:00
we're going to talk about is risk acceptance.
00:00
When we talk about accepting the risk,
00:00
our ultimate goal is to bring down
00:00
what risk there is to a degree that's acceptable.
00:00
When we talk about accepting risk,
00:00
that's the point where we no longer mitigate.
00:00
Now out of the box,
00:00
some risks may be at an acceptable level.
00:00
Because remember, there's a certain amount of
00:00
just inherent risk with everything.
00:00
Many risks inherently have acceptable levels.
00:00
I mean, there's a risk that comes with
00:00
crossing the street, so you mitigate.
00:00
You do what you can, you look both ways,
00:00
you cross at a crosswalk,
00:00
but then above that and beyond,
00:00
you really accept what risk there is.
00:00
It either just has inherent acceptable risk or
00:00
we mitigate to the role
00:00
or to the degree that's acceptable.
00:00
Now, with acceptable risk,
00:00
we no longer mitigate,
00:00
once we reach that acceptable level.
00:00
Because again, you get to
00:00
that point of diminishing returns.
00:00
When I mitigate risk to the degree that's acceptable,
00:00
I don't keep throwing money at the problem.
00:00
That's the whole reason that management is set
00:00
up an acceptable level of risk.
00:00
Now, the other thing that's
00:00
really important about this is that it's
00:00
a conscious decision and
00:00
this is made by senior management.
00:00
We're going to really say the risk owner,
00:00
which could absolutely be senior management,
00:00
but I think risk owner is probably a better term here.
00:00
It's a conscious decision
00:00
to look at the existence of the risk.
00:00
It's not ignoring a risk,
00:00
it's not sticking your fingers in your ear and going la,
00:00
la, la, la, la, it doesn't exist.
00:00
We look at the risk, we examine it,
00:00
and we analyze it.
00:00
When we look at the loss potential and we compare that to
00:00
the cost of the countermeasure and
00:00
we determine a cost more to mitigate
00:00
the risk than the risk itself,
00:00
well, that's a good indication that
00:00
it's time to accept the risk.
00:00
Sometimes you have to accept a risk
00:00
because there's nothing else you can do about it.
00:00
If my project is two weeks late,
00:00
I have to accept the fact that it's two weeks late.
00:00
I have to accept the risk that we are
00:00
going to come in behind schedule.
00:00
Now, that acceptance has to be
00:00
made with a clear understanding
00:00
of probability and impact of the risk.
00:00
Impact is huge when we talk about
00:00
risk acceptance because we're no longer mitigating.
00:00
Again, has to fall within the acceptable level,
00:00
must be a conscious decision.
00:00
Again, risk ignorance is not the same,
00:00
that's the same as risk rejection.
00:00
I think a good question might be,
00:00
if you do nothing when you accept a risk and you also
00:00
do nothing when you reject
00:00
a risk, what's the difference?
00:00
Tomato, tomato, not at all.
00:00
Risk acceptance uses due diligence,
00:00
risk rejection does not.
00:00
When it comes down to ideas like culpable negligence,
00:00
you're much more likely to be found
00:00
liable if you've rejected a risk.
00:00
But with risk acceptance,
00:00
I have a paper trail and I can show and justify,
00:00
here was our potential for loss,
00:00
here is how much money it would have cost
00:00
us to mitigate that risk.
00:00
Even with that, maybe the controllers and
00:00
all that effective, whatever it is.
00:00
I can show that it was a legitimate business decision.
00:00
Again, when we accept a risk,
00:00
ideally that risk is within the tolerance level.
00:00
Look for a phrase or some iteration of risk acceptance.
00:00
Residual risk is the point at which you accept risks.
00:00
You mitigate risks until
00:00
the residual risk falls within acceptable levels.
00:00
Now, like I said,
00:00
there are lots of reasons that we may accept a risk.
00:00
Generally, it's when the cost of
00:00
the countermeasure is greater
00:00
than the potential for loss.
00:00
But like I said,
00:00
there are some risks that you
00:00
just don't have any control over,
00:00
that you just have to accept.
00:00
Now, also risks that are generally very improbable,
00:00
even if they're high impact
00:00
or low-probability, low-impact.
00:00
When we talked about our risk assessment,
00:00
we talked about the probability and impact matrix.
00:00
When we have certain risks that
00:00
fall within that first risk band,
00:00
where they are of a low probability and a low impact,
00:00
that generally is one of those things that
00:00
pushes us towards risk acceptance.
00:00
Now that risk acceptance level should be known.
00:00
It's not so much of an individual decision.
00:00
We go back to our risk register,
00:00
which we created earlier,
00:00
where we did the qualitative risk.
00:00
The qualitative assessment helps us
00:00
prioritize risks based on probability and impact.
00:00
We use tools like the risk bands and
00:00
then those in a specific area as
00:00
dictated by the organizational policy
00:00
or the decisions made at the project, whatever it is.
00:00
Those that are in the acceptable level,
00:00
we move on, we spend our money on
00:00
those risks that are not acceptable.
00:00
Now, this second to last bullet point,
00:00
risk acceptance is often based on
00:00
poorly calculated risk levels. You know what?
00:00
The type of risk I'm
00:00
talking about on this slide, that's true.
00:00
When we look and we determine, hey,
00:00
I'm not going to meet my project in
00:00
date as particularly stated.
00:00
At that point in time you have
00:00
no choice but to accept the risk.
00:00
What's happened, what's made me late?
00:00
Risk has made me late on my project.
00:00
Perhaps on mitigated risks,
00:00
risk responses that failed.
00:00
Risk acceptance can be
00:00
based on poorly calculated risk levels.
00:00
Risk acceptance is a perfectly valid response.
00:00
Absolutely, it is
00:00
the correct response in many situations.
00:00
However, sometimes those times when you're
00:00
left with just no choice but to accept a risk,
00:00
a lot of times we make
00:00
mistakes in evaluating those risks.
00:00
Now, we accept the risk;
00:00
the risk falls within acceptable level.
00:00
We know that we're not done.
00:00
You never just brush your hands together and say,
00:00
we have dealt with risk,
00:00
now I can go on vacation for a month.
00:00
Risk never takes a holiday.
00:00
Even though we've chosen to accept a risk today,
00:00
doesn't mean in five years that's still a good response.
00:00
As a matter of fact,
00:00
it doesn't mean that next year,
00:00
that's still a good risk response.
00:00
Because the threat landscape is always changing,
00:00
because there are various things
00:00
that impact our risk profile,
00:00
we always want to remember.
00:00
Whatever our decision is,
00:00
regular reviews are essential.
00:00
See risk specifies a regular review as
00:00
at least once per year or in the event of a major change.
00:00
We have a particular risk that we've
00:00
accepted next year or in
00:00
a year from then and as part of
00:00
our regular annual risk review,
00:00
we go back and we look at our controls to determine,
00:00
are they still sufficient?
Up Next