In the Name of ALLAH,

the Most Beneficent the Most Merciful

Topic:

Risk & Risk Controlling

Presented By:

Daniyal Khan (0047)

Information Security Management

A situation involving exposure of danger or uncertainty of profit/loss is called Risk.

Risk

There are four types of risk control.

1) Accept Risk

2) Mitigate Risk

3) Eliminate Risk

4) Transfer Risk

Types of risk control

The stakeholders who are responsible for a risk can choose to accept a risk. For example, the risk that a project may fail may be accepted if

the project is of planned importance.

Risk management may include an approval process for risk acceptance.

Accept Risk

Actions are taken to reduce risk to an acceptable level. For example, the

organization assigns a top performing project management team to a project to

reduce the risk that it will fail.

Mitigate Risk

When you mitigate risks it's important to consider secondary risks. Secondary risks are

the risks that are caused by your risk mitigation efforts.

If you reduce a security risk by applying an update to software there's a risk that the update itself contains security vulnerabilities. In some cases, mitigation activities are higher risk than

the risk they reduce.

Secondary Risk

A risk may be reduced to zero. Normally the only way to achieve this is to stop the

activity that generates the risk. For example, selling a risky investment will eliminate the risks associated with that

investment.

Eliminate Risk

A risk may be transferred to another organization or individual. For

example, fire insurance transfers the risk of asset damage due to fire.

Transfer Risk