This is the second part of the "Assessing Your Risk" for "The New Manager" for BCM and CM series, and the focus is on:
Note to Reader: In BCM Institute. this phase in the planning methodology, when applied to the Business Continuity (BC) is "Risk Analysis and Review" and IT Disaster Recovery (IT DR) planning, is "IT Risk Analysis and Review" While, when it is applied to the Crisis Management (CM) and Crisis Communication (CC) planning process, it is called "Crisis Risk Assessment." When you are going in-depth into the various disciplines of BCM, CM, CC and ITDR.
Collectively, ISO 31000 calls the 3 steps of threat identification, risk analysis, and risk evaluation, risk assessment.
ISO 31000 Risk Management Model
It often makes sense to group risk rating values to give risk levels so that threats falling within the same risk level grouping can be assigned the same level of importance and priority for treatment. The higher the risk level, the more priority would be given to treat the threat.
ISO 31000 lists four generic risk treatment options that would address the majority of risks. These are:
| Risk Treatment | Description |
| Avoidance | Risk Avoidance is to make an informed decision not to become involved in or to withdraw from a risk situation. |
| Reduction | Risk Reduction is to take appropriate actions to lessen the probability, negative consequences or both, associated with a risk. |
| Transference | Risk Transference refers to the shifting of the burden of loss for a risk to another party through legislation, contract, insurance or other means. |
| Acceptance | Risk Acceptance is to make an informed decision to accept the likelihood and impact of a particular risk, or pursue an opportunity. Risk Acceptance depends on risk criteria and risk appetite of Top Management. |
Controls are instruments or practices that are used to manage risk. All controls fall within one of the above 4 treatment options. We will discuss each of these risk treatment options in another blog.
These are the controls currently implemented for the organization to mitigate the risk posed by the threat.
These are "Controls" identified and still not implemented. Current Control, if effectively implemented, will be taken into consideration when prescribing the risk treatment.
You may want to know more about our courses.