Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
The effect of risk can be positive or negative. Our goal is to analyze possible risk outcomes and better manage the negative effects of it.
There are few ways to deal with risks:
This avoids the action that could lead to the potential risk.
eg: If you are allergic to a particular food, you decide not to eat it. OR Your stock broker advised you to purchase a stock, but on your personal research you understand the company is not doing well and you decide not to invest your money in it.
2. Reduction / Mitigation
This is the most common risk management techniques. Here we reduce/limit the negative impact of risk.
eg: A company understand that hard-drives / servers might fail and plan for a regular backup. In case of a hard-drive failure, the risk of data loss will be minimum.
The risk is transferred to a third party. This technique is often used in scenarios where you have an outsourced service, a vendor. (Eg. Payroll Services, Third Party Vendors providing certain parts for your product. )
eg: A company manufacturing laptops gets harddrives from a third party vendor X, who has agreed to supply 500 Hard-drives everyday. If vendor X cannot deliver parts for days at a stretch, this would affect the production of laptops. In this case the company decides to make an agreement with vendor X to compensate for the loss OR arrange parts via alternate providers.
Risk Acceptance is not a risk minimization method, but more of a strategy. The risk is accepted and no measures are taken to handle it. This is probably done when the probability of risk is very minimal and /or the cost of handling the risk might be much larger than the potential loss from accepting the risk.
Another way of handling risk is via reciprocal agreements. It is an agreement between 2 parties who agree to share their resources in case of a crisis / emergency situation with either of them.
eg: Company X and Y being tyre manufacturers. Company X has a commitment to deliver order of 500 tyres by 20th May or face hefty penalties. The factory operations are affected by a fire situation and production cant be resumed for a month. In this case, if Company X & Y have a reciprocal agreement, Company Y would provide the required tyres for Company X and hence X can fulfill the order of 500 tyres.
The risk management techniques we have discussed above may not often reduce the risk completely 100%. The risk that remains after effect of these risk management / risk treatment techniques are called Residual Risks