¶ What is the Diri Risk Treatment Plan?
Risk treatment involves modifying risks to bring them to an acceptable level. In Diri, the risk treatment plan summarises the security controls proposed during the risk assessment, as visualised in the risk matrix. Treatments are selected to reduce either the likelihood or the consequence of a risk. The main goal of this step is to evaluate the cost versus benefit of each proposed treatment, resulting in a prioritised list of actions to manage the identified risks.
¶ The novel Diri cost-benefit analysis
The more effort you put into your risk assessment, the more accurate the cost-benefit analysis in Diri becomes. The novelty of Diri lies in how we’ve implemented many-to-many relationships in the Diri Risk Assessment (DRA). Security controls can be reused across multiple causes and consequences—reflecting real-world scenarios where, for instance, security training may mitigate several risks.
Diri also supports re-use of controls across multiple events. In practice, this allows you to build a much more comprehensive risk assessment and evaluate the impact of treatments with significantly greater precision.
Clicking on a risk in the risk matrix will bring in a detailed side view of the risk located in the bubble.
The treatment card highlights the key information about the treatment. For cost analysis, the focus is on acquisition and annual costs, such as license and maintenance, while the benefit is illustrated by the absolute risk reduction from the treatment. You can edit the treatment by clicking it directly in the table. Configure the table to edit the table columns.
These variables are displayed in the treatment card, however, the risk reduction is best viewed in the risk matrix which is automatically updated when selecting and de-selecting measures. In the above example, the treatment is in the status Open, meaning it has been defined but not considered. Marking the Selected-button will change the status to planned and update the risk matrix and cost estitmate pinned to the top of the page:
Spending adequate time on building risk models and doing cost estimates will have large pay offs in this analysis: A comprehensive risk model will enable you to detect large risk reductions at low costs.
¶ Ensuring implementation and follow-up
Diri is both a risk management and a quality assurance system. One of the most imporant activities in risk management is to ensure the follow up and traceability of assigned treatments. Be sure to assign responsibility and deadline for the chosen treatments, doing this will enable progress tracking through Diri:
Another way to keep track of the treatment implementations is through the Treatments option in the main menu. Using this option will list all treatments that are visible to your user.
¶ Risk treatment principles
A general risk management goal is that the risk level should aim on being as low as practically possible. For risks with a very low probability, but potentially devastating consequence, one should consider to introduce measures even if they cannot be justified on a purely financial basis.
Another consideration is that high frequency risks (events) with low impact can in sum accumulate significant consequences.