Once you have identified reasonably foreseeable threats to your organization and data, and you have implemented controls to reduce the risk of those threats, the final step in conducting a remote work risk assessment is to develop accurate risk management plans.
Creating a risk management plan is the part of the risk assessment process where you document the answer to the question, "What now?" What is your organization going to do with the residual risk of threats?
A risk management plan most often falls into one of four categories: Accept, Defer, Transfer, or Mitigate Further. Here are some examples and reasons why each of these options may be an accurate risk management plan for your organization's work from home function.
One option is to accept the residual risk, as it is, and choose to not do anything else with it. This option is most often applicable when the risk of a threat has been reduced to a low level of likelihood and potential damage. Although, the case could be made for choosing to accept a higher risk of threats in certain circumstances.
When considering the adverse circumstances requiring employees to work from home, a case could be made that the business opportunity outweighs the risk introduced by certain threats in this environment. In other words, one organization's risk may be another organization's opportunity, and it may be worth accepting the risk to keep operations going.
Choosing to defer residual risk is also known as "avoidance." Essentially, when you choose to defer a risk, you are saying you recognize a heightened risk exists, but you are intentionally choosing to not do anything about the risk at the present time. This risk management plan is most often viable when you know a change is coming which will affect the residual risk of the threat.
For example, the organization may have plans to change a business function, switch to a different service provider, or in the case of working from home, go back to the office. If you know your organization's employees will not telework for much longer, it may not make financial or operational sense to implement additional controls to reduce the risk of certain threats.
The primary time transferring risk should be considered as a risk management plan is when insurance coverage is one of your key controls. Electing to transfer the risk of certain threats means you will be sharing the risk with someone else (i.e., an insurance provider). This is not always seen as a viable option, as you should be doing what you can to reduce risk in-house, so it is good to use this option as little as possible.
Regarding your remote work risk assessment, it may be beneficial to revisit any cyber insurance in which your organization has invested and determine if it would be helpful should a threat occur in the remote work environment.
When choosing to mitigate the risk of a threat further, this is like saying you recognize the level of risk is not ideal, but you want and are planning to do more. If this is the case for your organization, be sure to document your plans for improvement, like adding a new vendor service or implementing additional controls.
If your organization likes how the remote work function is going and you may be making plans to continue allowing employees to work from home, choosing to further mitigate the likelihood, potential damage, and risk of certain threats may be worth the investment.
The best way to know what risk management plan is right for you is to look to your organization's business strategy and risk appetite, and make an informed decision from there.
If you are ready to start your remote work risk assessment, download our Remote Work Risk Assessment Template. Designed to help you assess the risk of remote work threats, you can use the template to help you ask questions about your remote work environment, identify applicable threats and controls, and document your risk management plans.
To take your remote work risk assessment to the next level, learn more about Tandem Risk Assessment. In addition to the features offered by a spreadsheet, Tandem can help you more efficiently manage your cybersecurity risk assessments with additional templates, access roles, presentation documents, email notifications, and more.