Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks.
ISO/IEC 27005 describes 4 risk treatment options:
- Avoid the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example;
- Modify the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts;
- Retain the risk: this is the default - more on this below;
- Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice.
Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which we should choose just one treatment per risk. ISO/IEC 27005 says "Controls to reduce, retain, avoid, or share the risks should be selected". In fact, they are nonexclusive options since they all involve an element of risk retention. The sentence should perhaps read "Controls to reduce, retain, avoid, and share the risks should be selected".*
Risk retention is inevitable because of the very nature of risk. We can never be totally certain of risk, up to the point that the probability reaches 1 when an incident occurs (which, arguably, means it is no longer a risk but a certainty!). We might have misunderstood it, or made mistakes in our analysis. Our risk treatments might not work out as expected, perhaps even failing spectacularly when we least expect it, or conversely working so well that the risk never eventuates. Our insurers and partners might renege on the deal, and consultants (including me, right now) might give bad advice. The threats, vulnerabilities and impacts are all dynamic, complex and partially unknown: geologists speak of 'eruption hazards' predicted to affect areas of varying size, but 'predict' is misleading. They can calculate the probability of various volcanic and seismic events occurring, but not with sufficient precision to be of short-term use in planning trips.
The upshot is that a retained risk is still a risk: with a residual level of risk, we should bear in mind that incidents might still occur. 'Risk acceptance' is no longer the preferred term since it subtly implies that the risk has gone, whereas some is retained, whether knowingly or not. Whether the implications are truly understood when we make risk treatment decisions is uncertain ... and, yes, that means risk management itself is risky.
* There are other problems with that sentence. In the information risk context, 'control' is generally used and understood to mean 'information security control' specifically: risk avoidance and especially retention would not normally be considered forms of control. Also, merely 'selecting' options achieves nothing: for all except risk retention, things need to be done subsequently if those decisions are to have any effect, and even retention generally ought to be documented, especially if the retained risks are significant - like, for instance, an adventure tourist signing to confirm their acknowledgement of the hazards ahead and clarify their personal accountability for the decision to proceed.