Homepage ISACA newsroom

Navigating the Five Common Responses to Negative Risk

Announcement posted by ISACA 20 Aug 2021

New ISACA resources—including a free webinar with Netflix senior security risk engineer—helps organisations to optimise and rethink risk response

Sydney, Australia (20 August 2021) –Risk managers deal with multiple levels of complexity in a constantly changing threat landscape. There are typically five common responses to risk: avoid, share/transfer, mitigate, accept and increase. ISACA’s new white paper, Optimizing Risk Response, confronts the inconsistencies, opportunities, obstacles, strengths and weaknesses inherent in risk response options, to provide an understanding of how to manage risk in a way that aligns with enterprise goals and culture.

Often, managers employ a combination of response options rather than choosing just one. ISACA’s guidance details the potential benefits and common pitfalls of each response: for example, with risk sharing, moral hazard and inability of a third party to realistically accept risk are some of the common pitfalls, but a potential benefit is that the risk is quantified and spread around to various parties to limit losses.

Enterprises must carefully ensure the following when weighing risk response options:

  • The strategy to respond to risk supports the enterprise’s goals, objectives and IT strategic alignment.
  • The strategy to respond to risk does not contradict the enterprise’s value proposition.  
  • The strategy to respond to risk is aligned with the enterprise’s risk appetite and tolerance. 
  • The enterprise has the ability, risk maturity, and the appropriate people, processes and technology to execute the chosen risk response option. 
  • The enterprise has considered how each risk response option influences the components of risk (loss frequency, loss magnitude and risk velocity). 

“Having an optimised risk response process is essential for helping enterprises manage risk efficiently,” says Paul Phillips, CISA, CISM, MBA, ISACA IT Risk Professional Practices Lead. “Each action an enterprise takes to respond to risk can have a ripple effect, influencing other systems and processes. It’s important to understand how the risk response option itself will influence risk and how the option is implemented to move toward an efficient and optimised risk management process.”

Professionals can also reinforce this knowledge by listening to the free ISACA webinar, Rethinking Risk Response.  Tony Martin-Vegue, senior security risk engineer at Netflix, will share how to optimise the ways organisations respond to risk and move it from a basic risk mitigation process to a true strategic advantage. 

Optimising Risk Response is a complimentary download at www.isaca.org/bookstore/bookstore-wht_papers-digital/whporr


Other available risk resources from ISACA include Risk IT Framework, 2nd Edition and COBIT Focus Area: Information and Technology Risk



For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations.


Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal 
Instagram: www.instagram.com/isacanews



Karen Keech, Established Media, 0411 052 408

Media Contacts

Karen Keech

Senior Consultant

0411 052 408

Additional Resources

Download our logo