WEBVTT 1 00:00:00.000 --> 00:00:01.050 In this lesson, 2 00:00:01.050 --> 00:00:03.450 we will learn about risk response. 3 00:00:03.450 --> 00:00:06.240 Risk response is the implementation of controls 4 00:00:06.240 --> 00:00:08.490 to mitigate identified risk. 5 00:00:08.490 --> 00:00:11.520 Risk response concepts include validation, 6 00:00:11.520 --> 00:00:13.020 which confirms the accuracy 7 00:00:13.020 --> 00:00:15.240 and completeness of identified risks. 8 00:00:15.240 --> 00:00:16.590 Severity impact, 9 00:00:16.590 --> 00:00:19.110 which quantifies the potential consequences 10 00:00:19.110 --> 00:00:21.760 of validated risks to guide prioritization. 11 00:00:21.760 --> 00:00:23.430 And remediation, 12 00:00:23.430 --> 00:00:25.320 which results in the implementation 13 00:00:25.320 --> 00:00:28.890 of actionable risk management and mitigation strategies. 14 00:00:28.890 --> 00:00:30.870 Now let's dive deeper into each 15 00:00:30.870 --> 00:00:33.000 of these three risk responses. 16 00:00:33.000 --> 00:00:35.430 First, we have risk validation. 17 00:00:35.430 --> 00:00:38.910 Risk validation is an important part of responding to risks 18 00:00:38.910 --> 00:00:41.131 because it helps you figure out if a potential problem 19 00:00:41.131 --> 00:00:43.530 is a real or false alarm. 20 00:00:43.530 --> 00:00:45.840 Imagine you're studying for a big exam 21 00:00:45.840 --> 00:00:49.200 and you hear a rumor that the test date has changed. 22 00:00:49.200 --> 00:00:50.220 Before you panic 23 00:00:50.220 --> 00:00:51.750 and change your study schedule, 24 00:00:51.750 --> 00:00:52.583 you need to check 25 00:00:52.583 --> 00:00:54.210 to see if the rumor is true. 26 00:00:54.210 --> 00:00:55.800 That's risk validation. 27 00:00:55.800 --> 00:00:58.230 To do this, you might ask your teacher 28 00:00:58.230 --> 00:01:00.180 or check the official class website 29 00:01:00.180 --> 00:01:01.770 to confirm the test date. 30 00:01:01.770 --> 00:01:03.480 Once you know whether the risk is real 31 00:01:03.480 --> 00:01:06.390 or not, then you can decide what to do next. 32 00:01:06.390 --> 00:01:09.390 In risk management, validation works the same way. 33 00:01:09.390 --> 00:01:12.840 It's all about confirming if a risk is actually something 34 00:01:12.840 --> 00:01:14.580 that we need to worry about. 35 00:01:14.580 --> 00:01:16.260 In an enterprise environment, 36 00:01:16.260 --> 00:01:19.500 risk validation might happen when the IT team receives an 37 00:01:19.500 --> 00:01:22.200 alert about a possible security breach. 38 00:01:22.200 --> 00:01:25.170 Before jumping to conclusions, they investigate 39 00:01:25.170 --> 00:01:27.420 to confirm if the threat is real. 40 00:01:27.420 --> 00:01:31.530 For example, an alert about a suspicious login could simply 41 00:01:31.530 --> 00:01:34.380 be an employee accessing the system from a different 42 00:01:34.380 --> 00:01:37.080 location, not necessarily a hacker. 43 00:01:37.080 --> 00:01:38.910 So the team checks the system logs 44 00:01:38.910 --> 00:01:40.170 and runs diagnostics 45 00:01:40.170 --> 00:01:44.250 to determine whether there really is an actual issue. 46 00:01:44.250 --> 00:01:45.780 By validating the risk, 47 00:01:45.780 --> 00:01:49.410 they ensure resources are spent addressing real problems, 48 00:01:49.410 --> 00:01:51.060 not false alarms. 49 00:01:51.060 --> 00:01:54.270 Second, we have risk severity impact. 50 00:01:54.270 --> 00:01:56.880 Risk severity impact helps us figure out 51 00:01:56.880 --> 00:01:59.790 how much a problem could disrupt our day. 52 00:01:59.790 --> 00:02:01.920 So after asking our teacher 53 00:02:01.920 --> 00:02:03.480 and checking the school website, 54 00:02:03.480 --> 00:02:07.410 we now know the big exam test date has indeed changed. 55 00:02:07.410 --> 00:02:08.670 We now need to determine 56 00:02:08.670 --> 00:02:11.790 how much this change will affect our study schedule. 57 00:02:11.790 --> 00:02:14.250 If the new test date is just a day earlier, 58 00:02:14.250 --> 00:02:15.690 the impact might be minor, 59 00:02:15.690 --> 00:02:17.730 requiring only a slight adjustment. 60 00:02:17.730 --> 00:02:20.160 But if the exam was moved up by a week, 61 00:02:20.160 --> 00:02:21.840 the impact could be severe, 62 00:02:21.840 --> 00:02:25.230 requiring us to completely reorganize our study plan. 63 00:02:25.230 --> 00:02:27.120 In a business setting, this is similar 64 00:02:27.120 --> 00:02:31.110 to discovering a confirmed risk like a supplier delay. 65 00:02:31.110 --> 00:02:32.430 The team needs to assess 66 00:02:32.430 --> 00:02:35.160 how much this delay will affect production. 67 00:02:35.160 --> 00:02:36.810 If it's just a small delay, 68 00:02:36.810 --> 00:02:39.210 it might cause minimal disruption, 69 00:02:39.210 --> 00:02:41.400 but if it's a major delay, 70 00:02:41.400 --> 00:02:44.250 it could result in a significant loss of revenue 71 00:02:44.250 --> 00:02:46.080 and missed deadlines. 72 00:02:46.080 --> 00:02:49.140 Understanding the severity helps the company decide 73 00:02:49.140 --> 00:02:52.080 how urgently they need to respond. 74 00:02:52.080 --> 00:02:55.380 Third and last, we have risk remediation. 75 00:02:55.380 --> 00:02:57.840 Risk remediation takes action to fix 76 00:02:57.840 --> 00:03:00.870 or reduce the impact of a confirmed risk. 77 00:03:00.870 --> 00:03:02.610 So we did our research 78 00:03:02.610 --> 00:03:03.690 and we have confirmed 79 00:03:03.690 --> 00:03:07.170 that the big exam test date has moved up by a week. 80 00:03:07.170 --> 00:03:10.620 So we need to change our entire study plan. 81 00:03:10.620 --> 00:03:13.830 Maybe we decide to study extra hours each day 82 00:03:13.830 --> 00:03:16.350 or join a study group to catch up faster. 83 00:03:16.350 --> 00:03:18.330 These are potential remediation steps 84 00:03:18.330 --> 00:03:21.780 to handle our situation in a business context. 85 00:03:21.780 --> 00:03:23.340 Imagine a company discovers 86 00:03:23.340 --> 00:03:25.410 that a phishing attack has compromised 87 00:03:25.410 --> 00:03:27.300 employee email accounts. 88 00:03:27.300 --> 00:03:28.890 The severity is high 89 00:03:28.890 --> 00:03:31.560 because sensitive data could be at risk. 90 00:03:31.560 --> 00:03:33.330 To remediate the situation, 91 00:03:33.330 --> 00:03:35.730 the company takes immediate steps. 92 00:03:35.730 --> 00:03:39.360 They block the affected accounts, force password resets, 93 00:03:39.360 --> 00:03:42.540 and install additional security measures like 94 00:03:42.540 --> 00:03:44.070 multifactor authentication. 95 00:03:44.070 --> 00:03:46.170 They might also conduct employee training 96 00:03:46.170 --> 00:03:48.090 to prevent future incidents. 97 00:03:48.090 --> 00:03:50.550 These are potential remediation steps 98 00:03:50.550 --> 00:03:52.800 and they help the company reduce risk 99 00:03:52.800 --> 00:03:55.530 and protect their data from further damage. 100 00:03:55.530 --> 00:03:58.860 So remember, risk response is the process 101 00:03:58.860 --> 00:04:00.300 of implementing controls 102 00:04:00.300 --> 00:04:03.810 to address identified risks in an organization. 103 00:04:03.810 --> 00:04:05.670 It starts with risk validation, 104 00:04:05.670 --> 00:04:08.760 where the organization confirms whether the risk is real 105 00:04:08.760 --> 00:04:12.390 and accurate, then the severity impact is assessed 106 00:04:12.390 --> 00:04:15.870 to understand the potential consequences of the risk. 107 00:04:15.870 --> 00:04:19.170 This assessment helps prioritize the response based on 108 00:04:19.170 --> 00:04:21.690 how critical the impact might be. 109 00:04:21.690 --> 00:04:23.700 Once validated and assessed, 110 00:04:23.700 --> 00:04:25.860 the final step is remediation. 111 00:04:25.860 --> 00:04:29.670 Remediation involves taking actionable steps to mitigate 112 00:04:29.670 --> 00:04:31.230 or eliminate the risk. 113 00:04:31.230 --> 00:04:33.540 Together these processes ensure 114 00:04:33.540 --> 00:04:35.820 that risks are managed effectively, 115 00:04:35.820 --> 00:04:39.723 minimizing potential disruptions and damages.