One common misconception of risk management that I have come up against time and time again is that by managing a risk it has been eliminated and can be closed and removed from the risk register. This is simply not the case as risks can evolve and change over time for any number of reasons.
One of the challenges of effective risk management is for the risk owner (usually the business owner of the information or process) to select a risk response that will bring a risk in line with their risk appetite. This is achieved by selecting one or more of the following risk response options:
• Avoid – stop the activity giving rise to the risk;
• Treat – implement controls to reduce the likelihood and/or impact;
• Transfer – transfer or share all or part of the impact;
• Accept – accept the current level of risk.
Any of these risk responses may be appropriate for a given risk scenario. However, only one will eliminate the risk – risk avoidance (sometimes referred to as risk termination or elimination). The other options require the risk to be monitored and reviewed on a regular basis to ensure that the risk does not increase over time. As a result, they should not be removed from the risk register.
Experience has taught me that very few organisations are willing to cease the activity introducing a risk and nor should they be, after all it is impossible to seize an opportunity without taking risks. However, to take full advantage of an opportunity it is important to manage those risks and by not monitoring risks that have been treated, transferred or accepted the business may be taking on more risk that it would tolerate.