In this lesson, we're going to discuss risk response. How are you going to respond to risk? But before we dive into that, let's get some terminology going.

Key Terms

• Risk Appetite: How much risk a company is willing to accept. For example, the Department of Defense and military contractors are very risk-averse due to heavy regulations, whereas a startup might be more willing to take risks until they have more financial stability.
• Inherent Risk: This is the overall risk you start with, before any measures have been taken to mitigate it.
• Residual Risk: The risk that's left over after you've taken steps to mitigate the inherent risk.
• Compliance: Following rules or regulations, which can sometimes require spending more to mitigate a risk than the risk is worth.

Understanding Risk

The way you choose to deal with risk will be based on your company's risk appetite. For instance, companies that are very regulated, such as the Department of Defense, tend to be risk-averse, while startups might accept higher risk levels initially.

You need to conduct a risk analysis and rank risks from greatest to least. For each risk, you have:

1. Inherent Risk: The risk's magnitude before any actions are taken.
2. Residual Risk: The remaining risk after all mitigating actions have been applied.

If you're taking an exam and they ask you whether you can eliminate risk, the answer is generally no. While there are strategies that can significantly reduce risk, entirely eliminating risk is nearly impossible due to practical constraints like budget and imperfect controls.

Mitigating Risk

Mitigation means reducing a risk to an acceptable level. Companies will not spend more to mitigate a risk than the risk is worth, with one key exception: compliance. For instance, if a regulation requires a $10,000 firewall to mitigate a $5,000 risk, the company will likely comply to avoid even greater penalties from non-compliance.

Here's a practical example about personal decision-making related to risk:

When I was younger, I bought my first car, which wasn’t particularly valuable. When I had to decide on insurance, I opted out of comprehensive coverage because the cost of the insurance over a year exceeded the value of the car. Similarly, companies make these kinds of decisions all the time. They won’t invest more in mitigating a risk than the risk is worth unless compliance is a factor.

Ethics in Risk Mitigation

There’s also an ethical component to consider. When making decisions about risk, especially in security, human life and ethical concerns take priority. Thus, while companies generally won’t pay more to mitigate a risk than it’s worth, they will do so to ensure compliance and ethical responsibility.

Next Steps

We’ll now move into discussing specific risk responses. If you understand the terms and concepts we've discussed, you’re ready to proceed.

Let's move into what our possible responses will be.