Eight Step Process For Selecting Risk Treatments
The following process can help identify treatments for complex risks. It can be used for a facilitated brainstorming workshop, as report headings, and stakeholder engagement.
What is the risk? The risk statement must be comprehensive, leaving no room for error about what is really meant.
Why is it a risk? What are the root causes and vulnerabilities? How will it impact objectives?
What is/are the source/s of the risk? What are the hazards? Who or what are likely threat actors and what acts are they committing?
What are the possible risk treatments? All ideas should be listed in the initial brainstorm no matter how impractical or difficult to implement.
What is the best treatment (or treatments)?
Why is this the best treatment/s? Does it directly address the root cause of the risk stated in question one? Is it the best solution in terms of the hierarchy of controls? Does it reduce the risk to ALARP?
What action(s) must be taken to implement it? Who will be responsible? What resources will be required? How will it be measured as being completed successfully? When must/should it be completed by?
What have we not thought of? Search for possible flaws in your proposed treatment, which could be exposed by a question from stakeholders. Any question the stakeholders can think of, you can think of. Develop a Q&A list of potential issues and responses.