Section 11

Risk Treatment & Executive Communication

Identifying and quantifying risk is half the job — the other half is deciding what to do about it and communicating it effectively. This section covers the four treatment strategies, risk appetite operationalization, risk register management, executive reporting, and risk exception governance.

Risk Treatment Strategies

Risk Treatment Decision Framework

flowchart TD RISK["Identified Risk"] --> ASSESSRisk within appetite? ASSESS -->|"Yes"| ACCEPT["ACCEPT\nDocument & Monitor"] ASSESS -->|"No"| TREATCan we reduce likelihood/impact? TREAT -->|"Yes, cost-effective"| MITIGATE["MITIGATE\nImplement Controls"] TREAT -->|"Yes, but too costly"| TRANSFER["TRANSFER\nInsurance / Third Party"] TREAT -->|"No effective mitigation"| AVOID["AVOID\nEliminate Activity"] MITIGATE --> RESIDUAL["Residual Risk\nAssessment"] RESIDUAL --> ASSESS style RISK fill:#ff8800,stroke:#000,color:#000 style ACCEPT fill:#22d3ee,stroke:#000,color:#000 style MITIGATE fill:#a855f7,stroke:#000,color:#000 style TRANSFER fill:#ec4899,stroke:#000,color:#000 style AVOID fill:#ff8800,stroke:#000,color:#000

Mitigate (Reduce)

Implement controls to reduce likelihood and/or impact. Most common treatment strategy.

When to use:
  • • Effective controls exist at reasonable cost
  • • Risk-to-mitigation cost ratio is favorable
  • • Regulatory requirement mandates specific controls
Decision data needed:
  • • Control implementation cost
  • • Expected risk reduction (pre/post FAIR analysis)
  • • Ongoing operational cost

Accept

Acknowledge the risk and proceed without additional controls. Requires formal documentation.

When to use:
  • • Risk falls within defined risk appetite
  • • Cost of mitigation exceeds potential loss
  • • Temporary acceptance with compensating controls
Requirements:
  • • Signed risk acceptance by appropriate authority
  • • Defined review period (typically 6-12 months)
  • • Compensating controls documented

Transfer

Shift the financial impact to a third party through insurance or contractual transfer.

When to use:
  • • Low-frequency, high-impact risks
  • • Cyber insurance is cost-effective
  • • Contractual indemnification available
Caution:
  • • Transfers financial risk, not reputational risk
  • • Insurance exclusions (acts of war, ransomware)
  • • Regulatory obligations can't be transferred

Avoid

Eliminate the risk by removing the activity, system, or process that creates it.

When to use:
  • • Risk exceeds organizational risk tolerance
  • • No cost-effective mitigation exists
  • • Business case doesn't justify the risk
Examples:
  • • Decommissioning a legacy system
  • • Not entering a high-risk market
  • • Discontinuing a feature with unmanageable risk

Risk Appetite & Tolerance

Appetite vs Tolerance vs Capacity

Risk appetite: The amount of risk the organization is willing to take to achieve its objectives (strategic). Risk tolerance: The specific thresholds for acceptable variation (operational). Risk capacity: The maximum risk the organization can absorb before viability is threatened (financial).
risk-appetite-framework.txt
text 
Risk Appetite Statement Framework
══════════════════════════════════

STRATEGIC RISK APPETITE (Board-level)
─────────────────────────────────────
"[Organization] accepts a MODERATE level of cybersecurity risk 
in pursuit of digital transformation objectives. We will NOT 
accept risks that could result in:
  • Loss of customer PII affecting >10,000 records
  • Regulatory fines exceeding $5M
  • Business interruption >24 hours for critical services
  • Reputational damage from data breach making national news"

OPERATIONAL RISK TOLERANCE (CISO-level)
───────────────────────────────────────
Category              Tolerance          Escalation
─────────────────────────────────────────────────────
Critical vulns        0 unpatched >72h   → CISO immediate
High vulns            0 unpatched >30d   → Security Lead
Vendor risk (Tier 1)  Score ≥ 70/100     → Risk Committee
Open risk acceptances Max 20 concurrent  → CISO quarterly
ALE per risk          < $2M annually     → Auto-accept
ALE per risk          $2M-$10M           → Risk Committee
ALE per risk          > $10M             → Board/CEO

RISK CAPACITY (CFO-level)
─────────────────────────
• Cyber insurance coverage: $50M per occurrence
• Self-insured retention: $2M
• Maximum acceptable annual cyber loss: $25M
• Cash reserves for incident response: $5M
Risk Appetite Statement Framework
══════════════════════════════════

STRATEGIC RISK APPETITE (Board-level)
─────────────────────────────────────
"[Organization] accepts a MODERATE level of cybersecurity risk 
in pursuit of digital transformation objectives. We will NOT 
accept risks that could result in:
  • Loss of customer PII affecting >10,000 records
  • Regulatory fines exceeding $5M
  • Business interruption >24 hours for critical services
  • Reputational damage from data breach making national news"

OPERATIONAL RISK TOLERANCE (CISO-level)
───────────────────────────────────────
Category              Tolerance          Escalation
─────────────────────────────────────────────────────
Critical vulns        0 unpatched >72h   → CISO immediate
High vulns            0 unpatched >30d   → Security Lead
Vendor risk (Tier 1)  Score ≥ 70/100     → Risk Committee
Open risk acceptances Max 20 concurrent  → CISO quarterly
ALE per risk          < $2M annually     → Auto-accept
ALE per risk          $2M-$10M           → Risk Committee
ALE per risk          > $10M             → Board/CEO

RISK CAPACITY (CFO-level)
─────────────────────────
• Cyber insurance coverage: $50M per occurrence
• Self-insured retention: $2M
• Maximum acceptable annual cyber loss: $25M
• Cash reserves for incident response: $5M

Risk Register

The risk register is the living document that captures all identified risks, their scores, treatment decisions, and status. It's the primary output of significant TRA engagement.

ID Risk ALE (FAIR) Treatment Control Owner Status
R-001 Cardholder data breach via API exploitation $3.2M–$8.5M Mitigate WAF + API gateway + runtime protection Platform Lead In Progress
R-002 Ransomware via compromised CI/CD pipeline $1.8M–$4.2M Mitigate SLSA Level 3 + signed artifacts + RBAC DevOps Lead Complete
R-003 Single cloud region failure (us-east-1) $800K–$2.1M Accept Multi-AZ (not multi-region) — cost accepted CTO Accepted
R-004 Regulatory fine from GDPR data subject request failure $500K–$3M Transfer Cyber insurance + automated DSR workflow DPO Complete

Executive Reporting

Executives don't need threat details — they need decision-ready summaries. Structure TRA reports for your audience level.

Board / C-Suite

  • • 1-page executive summary
  • • Top 5 risks with ALE ranges
  • • Risk trend (improving/worsening)
  • • Investment ask with ROI
  • • Peer benchmarking data
  • • Format: dashboard with traffic lights

Risk Committee / CISO

  • • Full risk register with FAIR scores
  • • Treatment plan and timeline
  • • Control effectiveness assessment
  • • Risk acceptance decisions needed
  • • Exceptions and waivers status
  • • Format: detailed report + risk matrix

Technical / Engineering

  • • Detailed threat scenarios
  • • Attack trees and DFDs
  • • Specific control recommendations
  • • Remediation backlog items
  • • Architecture diagrams with risk annotations
  • • Format: technical appendix + JIRA items

Risk Exceptions & Waivers

risk-exception-process.txt
text 
Risk Exception / Waiver Governance Process
═══════════════════════════════════════════

WHEN TO REQUEST AN EXCEPTION
─────────────────────────────
• A mandated control cannot be implemented by deadline
• Cost of full compliance exceeds risk-justified spending
• Technical debt requires phased remediation
• Legacy system cannot support required controls

EXCEPTION REQUEST TEMPLATE
───────────────────────────
Risk ID:          [R-XXX]
Requested by:     [Name, Title]
Risk description: [What risk is being accepted]
Current ALE:      [$ range from FAIR analysis]

Why exception needed:
  [Business/technical justification]

Compensating controls in place:
  1. [Control description and effectiveness]
  2. [Control description and effectiveness]

Residual risk with compensating controls:
  [Updated ALE estimate]

Requested duration: [X months, max 12]
Review date:        [Specific date]

APPROVAL AUTHORITY
──────────────────
ALE < $500K:   Security Lead
ALE $500K-$2M: CISO
ALE $2M-$10M:  Risk Committee
ALE > $10M:    CEO / Board

GOVERNANCE REQUIREMENTS
───────────────────────
• All exceptions tracked in risk register
• Maximum exception duration: 12 months
• Mandatory review at expiration
• Auto-escalation if not renewed or remediated
• Quarterly exception summary to Risk Committee
Risk Exception / Waiver Governance Process
═══════════════════════════════════════════

WHEN TO REQUEST AN EXCEPTION
─────────────────────────────
• A mandated control cannot be implemented by deadline
• Cost of full compliance exceeds risk-justified spending
• Technical debt requires phased remediation
• Legacy system cannot support required controls

EXCEPTION REQUEST TEMPLATE
───────────────────────────
Risk ID:          [R-XXX]
Requested by:     [Name, Title]
Risk description: [What risk is being accepted]
Current ALE:      [$ range from FAIR analysis]

Why exception needed:
  [Business/technical justification]

Compensating controls in place:
  1. [Control description and effectiveness]
  2. [Control description and effectiveness]

Residual risk with compensating controls:
  [Updated ALE estimate]

Requested duration: [X months, max 12]
Review date:        [Specific date]

APPROVAL AUTHORITY
──────────────────
ALE < $500K:   Security Lead
ALE $500K-$2M: CISO
ALE $2M-$10M:  Risk Committee
ALE > $10M:    CEO / Board

GOVERNANCE REQUIREMENTS
───────────────────────
• All exceptions tracked in risk register
• Maximum exception duration: 12 months
• Mandatory review at expiration
• Auto-escalation if not renewed or remediated
• Quarterly exception summary to Risk Committee

GRC Tool Integration

Platform Strengths Best For API
ServiceNow IRM Enterprise integration, workflow automation Large enterprises with ITSM integration REST API, IntegrationHub
Archer (RSA) Customizable data model, reporting Regulated industries, complex frameworks REST API
LogicGate Risk Cloud Modern UI, no-code workflows, FAIR support Mid-market, teams wanting FAIR quantification REST API, webhooks
OneTrust Privacy + security risk, vendor management Privacy-focused orgs, GDPR compliance REST API, pre-built integrations

Section Summary

Key Takeaways

  • • Four treatment strategies: mitigate, accept, transfer, avoid
  • • Risk appetite must be formally defined at strategic, operational, and financial levels
  • • Risk registers are living documents with clear ownership and review cycles
  • • Tailor reporting depth to audience: board, risk committee, engineering
  • • Risk exceptions require formal governance with time-boxing and approval authority