Key messages: You can’t treat everything so focus on what will hurt you the most or provide you with the largest opportunity.
Following on from my premise that the first pass analysis is without controls then there is a clear need, once you have applied your risk appetite, based on the level of risk that an organisation is prepared to accept, to undertake the evaluation step. Often I group the risk appetite decision with the need to prioritise the threat and opportunity events.
Referring back to my previous article where I came up with 1,422 initial risks and then after applying the risk appetite came up with 422 that needed a further look. If this number of events was still unacceptable then the real value of the evaluation step kicks in. Resources are often scarce so before considering any treatments and knowing that hey 400 risks is simply still too many then using some tools to assist to establish a prioritise list of events is the way forward.
Courtesy of Getty Images
I use a number of tools to work out which are the highest priority and therefore worthy of looking at first when it comes to controls and further treatments if necessary. Option one look at the highest overall risk rating (the combination of likelihood and consequence). This may still leave you with groups of events that have the same overall rating level. Option two is to look at the likelihood of each event and select the one that has the highest and then work your way down. Option three is to look at the events that have the highest consequence and work your way down.
Option four is to understand that some risk events may actually occur before others so applying a first in may be of benefit. What is worthy of note is that in this option it may well be that a lower overall level of risk event is considered a higher priority because it will happen sooner than a higher overall rated event. Option five is the catch all where you may use one or more of the previous four options to actually make your decision.
In my opinion there is no right or wrong option or approach.
The key is that there needs to be a human intervention in the risk management process at this point. There is considerable danger in simply allowing the highest level overall level of risk be the number 1 risk for the organisation pre-treatment.
Having now a clear list of prioritised events (threats and opportunities) you can once again re-visit the organisation’s risk appetite to decide how many of the events need further investigation and possible treatment.