Prioritizing Risk Mitigation Efforts
Once an institution identifies and analyzes the universe of risks, management should prioritize risk mitigation actions based on the probability of occurrence and the financial, reputational or legal impact to the institution. Organizational impacts are variable and not always easy to quantify, but include such considerations as lost revenue, loss of market share, increased cost of insurance premiums, litigation and adverse judgment costs, and data recovery and reconstruction expense. Management should prioritize the risk assessment results based on the business importance of the associated systems. The probability of occurrence and magnitude of impact provide the foundation for establishing or expanding controls for safe, sound, and efficient operations appropriate to the risk tolerance of the institution.
Risk Mitigation and Control Implementation