Risk Assessment I provides a description of the way in which organisational risks can be identified. Risk Assessment II describes how measures can be implemented to mitigate against these risks. These measures are known as controls.
Due to practical and cost considerations it is unlikely that any risk will be entirely eliminated. As a result it will be necessary for an organisation to determine its appetite for a particular risk i.e. the amount of risk that is acceptable to an organisation. There will be a number of different factors that will need to be considered as part of this assessment, which will include:
Each risk that has been identified will need to have a control in place to reduce probability of the risk occurring and the impact if the risk event does occur. Determination of the risk appetite will help the organisation to decide the numbers and levels of controls that will need to be implemented. The type of controls that are installed will vary according to the type of work in which the organisation is engaged. Once established, each control will need to be assigned an owner and the details of each control will need to be fully documented. Controls normally fall into three categories:
Once the controls have been determined the outstanding risk will need to be assessed. If the initial risk was scored then it should be simple to score the remaining risk. This will illustrate the extent to which the risk has been reduced and whether any further controls are required if the risk is still considered to be higher than the risk appetite. When assessing the outstanding risk the factors to be considered will include:
The overall result should be a reduction in the level of risk to one which is acceptable to the organisation.
Where it is found that the outstanding risk exceeds the risk appetite then actions should be agreed to resolve the situation.
The most likely solution will be to either improve an existing control or introduce further controls to bridge the gap.
Also, controls should be removed if it is found that the appetite for risk is greater than the outstanding risk.
Once actions have been completed a review schedule should be agreed to ensure that the risks and associated controls remain relevant.