id-ra-6 high Identify / Risk Assessment

Risk responses are chosen, prioritized, planned, tracked, and communicated

Identifying a risk without deciding what to do about it is just a longer list of problems. Every risk needs a deliberate response decision: mitigate it with a control, transfer it via insurance or contract, accept it with documented rationale, or avoid it by not doing the risky thing. Tracking those responses to completion is what converts risk awareness into risk reduction.

Estimated effort: 4h

risk-responserisk-treatmentmitigationrisk-acceptancetracking

Complete first: id-ra-5

Implementation steps

1

Choose a response for each risk in the register

For each risk, document the chosen response type: mitigate (add or improve a control), transfer (insurance, contract language, outsource), accept (document the rationale and obtain sign-off from the appropriate authority), or avoid (stop the activity that creates the risk). No risk should sit in the register without a decided response.

jiraarchernotiongoogle-sheets
2

Create actionable plans for each mitigation response

For risks where mitigation is chosen, create a concrete plan with specific actions, an owner, a target completion date, and success criteria. Vague mitigations like 'improve security posture' are not plans. A good plan might be: 'Deploy endpoint detection on all servers by Q2 to address the malware risk on unmanaged servers.'

jiralinearnotion
3

Track progress and communicate status to stakeholders

Review risk response progress in the regular security reporting cycle. Flag any responses that are overdue or blocked. Communicate significant risk status changes to relevant stakeholders: if a high risk is now being mitigated, or if a previously accepted risk has gotten worse, those updates should reach the right people promptly.

jiranotionconfluence