Risk Mitigation
After both the business and technical risk assessments have been conducted. You will need to then review the findings and assign a risk score based upon your own defined matrix. Next you will need to Mitigate that risk, or put in place a compensating control to limit risk exposure.
Control Types
Earlier in this course we discussed different control types. They were identified as the following
- Preventative
- Detective
- Corrective
Now is the time to review your risk matrix and align each risk to a control type. If you have already performed this as part of your scoring model, then this is not needed. However, It's easier to have the mitigating control type listed alongside the risks.
| Severity | Identified Risk | Probability of Risk Occurring | Mitigating Control Type |
|---|---|---|---|
| Critical | "Risk 1" | 23% | Corrective |
| High | "Risk 2" | 85% | Compensating |
| Medium | "Risk 3" | 15% | Detective |
| Low | "Risk 4" | 27% | Preventative, Detective |
Formula for Determining Risk
Drawing from this information you can now start to develop risk mitigations based upon the scoring model or risk matrix you have developed. During this time your main focus will be working with the organization to come up with controls to mitigate the risk.
Some of the control types you develop and implement to minimize risk could impact budget. It's important to understand this concept and ensure the organizations' management team is aware that if deficiencies exist they could cost money and resources to fix.
Risk Acceptance
During this time, if you have found that the organization is willing to tolerate or accept a certain level of risk. Please ensure that it is notated and explained to the audit team. As a lead implementer, it is not your job to force the organization to mitigate risk but for them to understand the risk level and for them to determine the level of acceptance. It's also important to ensure that the level of risk acceptance does not fail a common criteria which may lead to a qualified audit opinion.