6.2.4. Risk Management Strategies

💡 First Principle: Once a risk is identified and analyzed, the organization must choose a response strategy. There are four fundamental options, and the choice depends on comparing the cost of the response against the risk's potential impact.

Loading diagram...

Risk mitigation (reduction) — implementing controls to reduce likelihood or impact. The most common strategy. Example: deploying firewalls and patching systems to reduce the risk of network-based attacks.

Risk avoidance — eliminating the risk entirely by not engaging in the risky activity. Example: deciding not to store credit card numbers (eliminating PCI DSS scope and payment data breach risk). Avoidance may limit business opportunities.

Risk transference (sharing) — shifting the financial impact to another party. Cyber insurance transfers financial risk. SLAs transfer operational risk to service providers. The risk still exists — but someone else bears the cost if it materializes.

Risk acceptance — acknowledging the risk and choosing not to take action because the cost of mitigation exceeds the potential loss, or the risk falls within tolerance. Must be a documented, deliberate decision with management approval — not neglect. Risk exemptions are formal, time-limited approvals to operate outside normal security policy. Unlike acceptance (the risk is within tolerance), an exemption acknowledges the risk exceeds tolerance but grants a temporary exception with compensating controls and a remediation deadline.

⚠️ Exam Trap: Risk acceptance is a valid strategy when done deliberately with management approval and documentation. It is NOT the same as ignoring the risk. If a question describes a risk that's undocumented and unreviewed, that's negligence, not acceptance.