Businessdictionary.com defines risk response as
“Appropriate steps taken or procedures implemented upon discovery of an unacceptably high degree of exposure to one or more risks. Also called risk treatment.”
The purpose of risk response is to bring the risk to the acceptable level of Risk Appetite. Risk response is connected with Risk appetite that in turn is connected with Objective.
There are 4 type of Risk responses:
- Risk Avoidance
- Risk Mitigation
- Risk Transfer
- Risk Acceptance
Risk Avoidance: Risk Avoidance refer to avoidance of risk. Avoiding , exiting from activities that give rise to risk, like a risk market, product, geography, activity etc.
Risk Mitigation: Risk Mitigation refer to putting measures to detect and prevent/ control risk. E.g. would be setting up an Internal Audit Function, establishment of Internal Audit Activity, organizing risk awareness programme, training people in risk detection, defining procedures to deal with risk, etc.
Risk Transfer: Transferring the risk, e.g. Insurance, outsourcing. Insuring assets, human life from unknown perils.
Risk Acceptance: Accepting the risk.
For a risk, responses can be different based on risk appetite of an organization.
E.g. Risk of bad debts in a market with high incidence of bad debts.
- An organization vary of risk may avoid such markets. (Risk Avoidance)
- Another organization may go for stricter credit appraisals, do extra credit survey, take extra collateral for loan given. (Risk Mitigation)
- Organization can go for secutarisation and credit default swaps instruments. (Risk transfer)
- Organization can accept as part of objective of social responsibility towards under privileged in a undeveloped market. (Risk Acceptance)
Risks are never evaluated and respond in a isolated manner. They are always taken together as group for similar activities. Responses are also taken as a group. In the previously mentioned example, an organization may chose to go for all responses for different markets.
Key Risk indicators (KRI) are defined as part of risk response to ensure that Risk is managed and appropriately responded before risk become unacceptably high. E.g. of KRI would be % of bad debts vis a vis Loan given by organization.
(I will discuss on Control Activities, which comes after risk response. Now organization has decided to respond to a risk in a particular activities, the same is required to be monitored to ensure that organization remain with in the risk appetite and meet objectives.)
