Strategic direction that describes appropriate risk response options is established and communicated
When a new risk is identified, teams need to know what response options are available and which are preferred by the organization. Without strategic guidance, individuals may default to the easiest or cheapest response rather than the one that best aligns with organizational priorities. Documenting the organization's preferred risk response approaches (accept, avoid, mitigate, transfer) and when each is appropriate prevents inconsistent decision-making and ensures risk owners take responses that leadership would endorse.
Implementation steps
- 1
Define the organization's available risk response options
Document the four standard risk response types: accept (tolerate the risk as-is), avoid (stop the activity creating the risk), mitigate (reduce likelihood or impact), and transfer (shift risk via insurance or contract). For each, provide guidance on when it is appropriate given the organization's risk appetite.
confluencegoogle-docsnotion - 2
Establish approval thresholds for each response type
Define who can authorize each response type at different risk severity levels. For example: a team lead may accept low risks, a director may accept medium risks, and only the CISO or board can accept high or critical risks. Document these thresholds in the risk management policy.
confluencegoogle-docsnotion - 3
Communicate the strategic direction to risk owners
Share the risk response framework with everyone who owns or manages risks, including engineering leads, department heads, and project managers. Include it in security awareness training for managers and reference it in the risk register template.
confluenceslackgoogle-docsjira
Evidence required
Risk response strategy documentation
A written policy or framework section that defines available risk response options, when each should be used, and who is authorized to approve each type.
- · Risk management policy with a risk response section covering accept, avoid, mitigate, transfer
- · Risk response decision tree or matrix published in the knowledge base
- · Risk register template with a response type field and approval workflow
Evidence of communication to risk owners
Documentation showing that the strategic direction for risk responses has been shared with people responsible for managing risks.
- · Security training materials covering risk response options
- · Team meeting notes or all-hands presentation referencing risk response guidance
- · Email distribution or Confluence page acknowledgment records
Related controls
Risk management objectives are established and agreed to by organizational stakeholders
Risk Management Strategy
Risk appetite and risk tolerance statements are established, communicated, and maintained
Risk Management Strategy
Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions
Risk Management Strategy
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Risk Management Strategy