What is Meant by Managing Your Risk?
The term “managing your risk” refers to the process of identifying, assessing and controlling risk and threats. While it is impossible to eliminate risk, it is possible to manage risk to an acceptable level. This process starts with an organization defining three (3) crucial components of risk management:
- Risk Tolerance;
- Risk Threshold; and
- Risk Appetite.
To “manage an organization’s risk, ” that organization needs to adhere to its stated risk tolerance, where the organization has four (4) options to address identified risks:
- Reduce the risk to an acceptable level;
- Avoid the risk;
- Transfer the risk to another party; or
- Accept the risk.
The alternative to risk management is crisis management. Organizations invest in cybersecurity and data privacy as a necessity. This necessity is driven in large part by statutory, regulatory and contractual requirements. It is also driven by the desire to protect the organization's brand from acts that would harm its public image. Regardless of the reason, the base expectation is that those charged with developing, implementing and governing the cybersecurity and data privacy functions are doing so in a reasonable manner that would withstand scrutiny that could take the form as an external auditor, regulator or prosecuting attorney. That is managing your risk.