After risks have been identified and properly assessed an appropriate action to address each risk must be determined. To ensure that all identified risks get appropriately followed up and addressed it is mandatory to assign a proper action plan for each risk. The action plan might include measures against several vulnerabilities for one risk. Depending on the rating of the risk and the decision on the risk treatment (see approaches for action plans) and the defined materiality level, the planned actions may vary regarding the resources assigned to implement the plan and the frequency of monitoring the action. Action plans typically follow one of the below described approaches for treating risks; Mitigate, Accept or Transfer.

• A decision to Mitigate a risk should be taken when it’s clear that the likelihood and exposure associated with the risk is significant and effort required to mitigate the risk is appropriate as well as if not mitigating the risk would result breaking the law, not complying with regulations or open the company to an unacceptable level of operational, reputational or financial risk. This level is called usually materiality level and has to be defined centrally.
• A decision to Accept a risk may be taken if the likelihood and exposure associated with the risk is minimal and has resulted in a relatively low risk severity rating. A decision to accept may also be taken if the time and resources required to mitigate the risk are so large as to be disproportionate to the likelihood and exposure risk ratings. It is essential that the “Risk Management Committee” and the “Risk Owner” (see explanation below) agree on a risk acceptance approach. It is also essential that an Accept decision is taken in compliance with all relevant laws and company approval rules and regulations. Critical for Risk Acceptance is the approval from the affected Business Unit(s) (Risk Owner) and the proper documentation. The risk acceptance approach can also be used by IT department to document the decision from Business partner not to spend the money or time although countermeasures are possible.
• A decision to Transfer a risk may be taken if it is clear that the organization is not capable of mitigating the risk and the risk is not already owned by one 3rd party partner. The “Risk Management Committee”, the “Risk Owner” and the 3rd party partner must all agree on a risk transfer approach. It is also essential that a Transfer decision is taken in compliance with all relevant laws and company approval rules and regulations. Typically insurance companies are meant with third parties. Caution: Risks can never be outsourced as the accountability always stays with you!

Transparency is absolutely crucial at this stage. To accept or to transfer a risk the action plan must provide clear details of the decision. It must include the names of the persons who authorized the decision (Risk Owners), the risk level, the scope and the date when the decision was taken and the justification for the decision. The risk must be described so that the nature of the risk can be understood also by non IT persons. The documentation of the risk acceptance should be at least signed-off by the risk owner(s) and the person who has described the risks and the action plan. This person in charge for the object of evaluation shows with his signature that he has described the situation with the best of his knowledge and all possible solution have been taken into account.

If you decide to mitigate a risk the action plan needs to clearly describe the steps that will be taken for mitigation. The person responsible for the object of evaluation is responsible for describing the risks and also for the creation of the action plan. He can describe in sufficient detail what needs to be done in which order and by whom. Someone not knowing the nature of the risk should become able to understand the activities chosen to address the risk by reading the corresponding action plan. The risk owner than has to accept the action plan and is responsible for the implementation.

As described before also a mitigation action plan must include the persons name who owns the risk and the agreed timelines until when the risk should been mitigated. Just by having someone owning a risk it is not guaranteed that the risk will be mitigated on time or mitigated at all. From a certain level on the responsibility for controlling the fulfillment of the action plans must be by carried out by a central function. This team or the person managing the overall risk register needs to have close look at the different action plans. This function needs to ensure that all actions are taken on time and if not to go back to the owner to ensure proper adjustments on the action plan reflecting reality.

The Risk Management Process involves several persons in different roles. Most important is to understand the role concept of the risk owner.

The risk owner is the person who owns the risk. The risk owner is usually the Information/Business Process Owner from affected business area(s) and belongs not to IT. This might differ for general used infrastructures like the company network, where otherwise all affected business units might be in charge to sign-off. As rule of thumb for determination of the proper risk owner, you have to determine the function who decides how to spend money. Additionally it has to be taken into account that the risk owner needs the appropriate financial clearance and organizational reach. The risk owner is the one who can accept risks and action plans.

The risk owner is usually also the person who indicates the business impact of a risk.

Risk management committee

This is normally a steering committee where senior management is represented. Depending on the organizational structure and the size the members can be different. The goal of this board is to bring all existing risks into context and to keep the big pictures. Often a risk is acceptable for a single business unit but for the overall organization not because of other circumstances which the local business unit is not aware of.