So we've been through all the steps of the risk assessment process. We have a blank matrix on the screen in front of us. It should look somewhat familiar to you, because you saw it filled out at the beginning of our conversation. We're asking you to take a moment and go back and review the risk assessment methodology. Lay in all the steps in the correct order to make sure you've got them set up and properly configured in your mind. What order do they come in? And what steps go before which? As soon as you think you've done all that and you have it right, come on back. We'll take a look and we'll make sure we have them in the correct order for you. We'll talk about them to make sure you understand what order they belong in. And in case you miss one, we'll give you the opportunity to make a note. See you back in just a minute. All right, welcome back. Let's take a look at what the answers actually are and how you should have filled out the diagram. Hopefully, you got all your steps in the right order. If you didn't, take a moment here while we're talking about it to make sure you make a note and figure out which ones you need to correct. Step 1 up at the top, Prepare for Assessment. Step 2, Conduct the Assessment. Middle tier there, all the sub-steps associated in order, identify threat sources and events, that's what we call 2A. Identify vulnerability and predisposing conditions, we'll call that 2B. Determining likelihood of occurrence, determining magnitude of impact, determinng risk, one for all those. Now we actually broke out identifying vulnerabilities and predisposing conditions and we broke out identifying threat sources in events. So we actually walked through and subdivided those. So just make sure in the discussions we had that you see this only five sub-steps in the actual methodology. We actually broke one of those sub-steps into two sub-steps to make it easier to deal with, and as a result of that, we actually wound up with 2A through 2F in our discussion. But you can see the actual steps listed here in the correct order, just to remind you of that. And then Step 3, Communication Results, off to the left. And Step 4, Maintaining the Assessment. Making sure we have a good understanding of all of the steps, making sure we know what order they're going to go in, making sure we know we identify first, and then we determine second. And as a result of determination, we ultimately are going to come out with some sort of understanding of what risks are, prioritized action plans around how to deal with them, and understanding what the potential impact is to drive our conversation around dealing with risk. That's going to be very important. In Step 3, we want to make sure we're communicating effectively by audience with the appropriate relevancy. And in Step 4, we're going to circle back and maintain the assessment as we were discussing to ensure that we're aligned in an ongoing way. We're understanding how to incorporate new risks as they potentially pop up. All this is going to be very important for us. Let's talk about how we deal with risk from a treatment perspective. We've assessed it. We've understood it. We've communicated about it. We're keeping an eye on it. But what do we actually do? We've got four established, four pretty good, four pretty well-understood mechanisms or ways of dealing with risk. Risk mitigation, risk transference, risk avoidance, risk acceptance. No particular order, neither is any more or less important than the other, just the way we put them on the screen. Let's talk about each one. Risk mitigation is going to allow us to be able to go in and effectively, as we see here, to minimize risk, to take it down a couple of notches by taking actions and applying controls and counter measures to effectively try to minimize as much as possible what the risk may be. That's what risk mitigation is all about. We will select certain controls with regards to risk mitigation. Those controls have to be appropriate for the risks we are addressing. And they have to, as we said, with quantitative assessment, be cost-effective, right? So we have to make sure we're thinking about those things and we want to make sure we keep that in our mind. If you remember, from our prior conversations, we have different kinds of control categories, managerial, technical, and or operational. We want to make sure we're aware of each of these. Technical control category, it's going to be managed by and implemented through the system, the computer. Operational control category is going to be managed by and implemented by the user. And the managerial is going to be policies and procedures, traditionally. So, want to make sure we're appropriately thinking about, and matching the control categories to the actual controls themselves to the appropriate risk. Making sure we are going to be aligned there will be important. I've talked about residual risk a couple of times. Residual risk is the idea that there can be risk left over in any system. Despite our best efforts to minimize and to get away from all the risks that's in the system, there are still elements of risks that are left over that are just too difficult for us to extract or ferret out or deal with. Or they may be unknown and undocumented at the time we are dealing with them, and there's no good way for us to see clear and understand exactly what's there and as a result, they may remain hidden for a period of time. We may not be aware of the fact they exist but over time, the knowledge of them may come to light. So want to keep that mind and be aware of that. We define residual risk, in other words, as the risk that's left over after countermeasures are applied. That is the definition of residual risk. We have to understand how to deal with and acknowledge residual risk. It's very important for us. Risk transference, another way to deal with risk. Risk transference allows us to give the risk to a third party, usually with some sort of stipulation that we will spend money to do so. Classic example, as we say here, is insurance. You buy insurance, you offset risk. When you are driving, you have car insurance. When you own a home, you have homeowners insurance. You probably have flood insurance as part of that as well, depending on where you live, right? You may have renter's insurance, if you rent as opposed to owning. These are all examples of transference of risk. For a certain amount of money every month and or quarterly, semiannually or annually, you effectively are paying the insurance company to take on the risk that if there is damage or liability that they will offer you a certain amount of money in return. This is how we talk about risk transference. Some risks cannot be transferred. want to make sure we're aware of that and we think about that, by the way.
