What Can You Do About Risk?
Every business leader makes risk decisions, whether they call it that or not. The goal isn’t to eliminate all risk. It’s to understand it, shape it, and make sure the risk you keep is worth the reward.
Impact × Probability = Risk
Risk = Impact × Probability
If an event would cost $1,000,000 but has a 0% chance of happening, the threat is zero. No time or money needs to be spent on it.
Most real-world threats sit in the gray area: the impact and probability are both greater than zero. That’s where you have to make a decision.
One important point:
Risk exists whether or not you recognize it. Ignorance doesn’t reduce impact, and it doesn’t change probability.
When a threat is recognized, “doing nothing” is no longer neutral. It becomes a choice.
Recognized Risk: Four Legitimate Responses
When you identify a risk, there are four legitimate ways to respond. Three are professional strategies. One is a governance failure.
- Avoid – Stop or change the activity so the risk disappears.
- Offload (Transfer) – Shift impact to a third party (insurance, contracts, outsourcing).
- Accept – Keep the risk knowingly, with or without controls, and own the outcome.
- Ignore – Fail to address or document the risk. Accountability still exists; it simply shows up later, usually after damage has occurred.
A Simple Mental Model
You can think of risk decisions like this:
- Avoid stands alone: if you stop the activity, the risk goes away.
- Accept is the center of gravity: most business risk ends up here.
- Mitigate and Offload are treatments you apply to risk you have chosen to accept.
Ignoring isn’t on the diagram because it’s not a strategy. It’s what happens when there is no strategy. Your fiduciary responsibility is not diminished just because a risk wasn’t documented.
Summary of Actions
| Action | Definition | When It Makes Sense |
|---|---|---|
| Avoid | Eliminate the cause of the risk. | Impact is catastrophic or unacceptable, regardless of probability. |
| Offload | Shift impact to a third party. | Impact is high and a third party can assume or price the risk more efficiently. |
| Accept | Consciously retain the risk and own the outcome. | Impact is tolerable, or the cost of controls is higher than the expected loss. |
| Mitigate | Reduce probability, impact, or both. | Controls are affordable and meaningfully reduce risk. |
Ignoring a risk does not eliminate accountability; it simply ensures accountability is exercised after harm occurs instead of before.
Example 1: Company Laptops & Data Loss
The risk: A lost or stolen laptop exposes sensitive company or customer data.
- Impact: Regulatory fines, legal costs, loss of customer trust.
- Probability: Non-zero. Devices get lost, stolen, or compromised.
What many businesses already do:
- Require passwords or sign-ins on laptops.
- Issue company-owned laptops instead of personal devices.
- Replace older hardware on a regular cycle.
Whether it’s written down or not, that’s risk management:
- Accept: “We accept the risk that employees need portable devices to do their jobs.”
- Mitigate: Add disk encryption, strong authentication, and automatic screen locks to reduce the chance and impact of data loss.
- Offload: Purchase cyber insurance to help cover breach notification and recovery costs.
- Partial Avoidance: Prohibit storing certain types of data locally, keeping it in secured cloud applications instead.
How this aligns with CIS Controls v8 (in plain language):
- Inventory & control of enterprise assets – Know which laptops you own, who uses them, and where they are.
- Data protection – Encrypt data at rest and restrict where sensitive data can be stored.
- Account management – Require unique user accounts, strong authentication, and timely removal of access.
The difference between “we issued laptops” and “we manage laptop risk” is documentation, clarity, and consistency.
Example 2: Phishing & Email Fraud
The risk: An employee receives a convincing email and sends money or sensitive information to an attacker.
- Impact: Financial loss, data exposure, reputational damage.
- Probability: High. Phishing emails arrive daily in most organizations.
What many businesses already do:
- Verbally warn staff: “Don’t click suspicious links.”
- Require a second approval for large wire transfers.
- Call vendors to confirm bank account changes.
Again, this is risk management, even if it isn’t labeled that way:
- Accept: “Email is essential to running the business. We accept that it comes with risk.”
- Mitigate: Provide security awareness training, deploy email filtering, and require multi-factor authentication on email accounts.
- Offload: Use cyber insurance that includes coverage for certain types of fraud or social engineering losses.
- Avoid (process level): Decide that payment instructions will never be changed solely by email; require out-of-band verification.
How this aligns with CIS Controls v8 (in plain language):
- Security awareness & skills training – Train users to recognize and report suspicious messages.
- Service provider and email security – Filter known malicious content and block dangerous attachments or links.
- Access control management – Use MFA to make account takeover much harder.
- Secure business processes – Require verification steps for financial or high-risk requests.
You’re Already Doing Risk Management
If you approve budgets, enforce policies, buy insurance, or require approvals, you are already practicing risk management. The question is not whether you manage risk. It’s how intentional, consistent, and defensible your decisions are.
Frameworks like CIS Controls v8 don’t replace business judgment. They organize it. They turn informal decisions into a repeatable, auditable approach that insurers, regulators, and business partners can understand.
At 4BIS Cyber Security & IT Services, we help organizations move from “we think we’re covered” to “we can show how we manage risk.” That starts by recognizing that you’re already doing more right than you may realize — and then building on it with structure, documentation, and the right controls.
Reach out to schedule a free cyber strategy session.
