Risk Management
Initiating risk, identifying risk, managing and responding to risk, monitoring, reporting and communicating risk.
5. Managing and Responding to Risk
After risks have been analysed, the next step is to respond to the risk and then take action. It is important that once risks have been graded that staff “need to think about appropriate actions to deal with individual threats and opportunities” (Hillson, 2012 p. 126). There are a number of opportunities available to staff when presented with a risk. These have been summarised in Table 2 as a number of theorists offer differing terminology when describing the available options.
If the appropriate action when responding to a risk is to control or eliminate a risk, a number of options are also available. These are outlined as ‘types’ of controls by the HM Treasury (2004) in their Orange Book. Below is a brief outline of the four controls outlined by HM Treasury (2004, pp. 28-29) which can be used to control or eliminate a risk:
- Preventive Controls - These controls are designed to limit the possibility of an undesirable outcome being realised...The majority of controls implemented in organisations tend to belong to this category. Examples of preventive controls include separation of duty, whereby no one person has authority to act without the consent of another.
- Corrective Controls - These controls are designed to correct undesirable outcomes which have been realised. They provide a route of recourse to achieve some recovery against loss or damage. An example of this would be insurance which can facilitate financial recovery against the realisation of a risk.
- Directive Controls - These controls are designed to ensure that a particular outcome is achieved. They are particularly important when it is critical that an undesirable event is avoided - typically associated with Health and Safety or with security. Examples of this type of control would be to include a requirement that protective clothing be worn during the performance of dangerous duties.
- Detective Controls - These controls are designed to identify occasions of undesirable outcomes having been realised. Their effect is, by definition, “after the event” so they are only appropriate when it is possible to accept the loss or damage incurred. Examples of detective controls include stock or asset.”
Controls can mitigate risk by eliminating some of the system’s vulnerability, reducing the capacity and motivation of the risk or reducing the magnitude of the potential or actual adverse impact. Organisations can then analyse the extent to which the risk has been reduced through the controls by reassessing the likelihood and consequence, the new risk rating is called the ‘residual risk’ (NIST, 2002).