I’m often asked by prospective clients why it’s so important to formally address risk within an organization and why the appropriate risk owners must acknowledge said risks in writing. Here’s a question I received form a client last week.
We are currently evaluating a technology risk in our organization and request information and/or advice.
Acknowledging risk can feel scary, but is an important step to take when securing your business. Here’s how I answered the client and the advice I generally give when asked about managing risk.
In our opinion, and consistent with information security and risk management best practices, you have four means to address risk;
- Avoid
- Accept
- Mitigate/Remediate
- Transfer
Avoid the Risk
Ignoring a risk is not an available option and is a version of acceptance. Based on our understanding of the risk you reference; your organization is not in a position to avoid the risk. This leaves three of the options to pursue.
Accept the Risk
Your organization can accept the risk. This is done by the business line or the owner of the risk’s existence. Traditionally there is a written and acknowledged/signed form of documentation that outlines what the risk is, why it’s being accepted by the organization, for how long and by whom. You may also capture special restrictions on where the risk is allowed to exist.
Mitigate Risks
Your organization can mitigate or remediate the risk. This can be done by putting in place compensating controls to surround the risk’s existence with the goal of lowering the risk to a low enough level that it can then be accepted.
Transfer Risks
Your organization can transfer the risk. This is traditionally done with insurance. Your organization should discuss with their insurance broker or agent about the scenario where this risk would materialize. The broker should be able to walk through current policy coverage and explain how the current policy would take effect if a claim were made.
If your organization’s broker cannot perform this function, I highly recommend finding a new broker. This is a standard ask for that service your organization is paying for.
If you’re looking for advice while searching for cyber insurance, we are partnered with several brokers and are happy to make a recommendation after learning a bit about your business and goals. Get in touch for cyber insurance guidance today.