What is this risk strategy called?

You are the lead auditor of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks.

What is this risk strategy called?
A . Risk bearing
B . Risk avoidance
C . Risk neutral
D . Risk skipping

Answer: A

Explanation:

The risk strategy that involves taking measures for the large risks but not for the small risks is called risk bearing. Risk bearing is a strategy that accepts the existence of risks and their potential consequences without implementing any specific controls to reduce them. Risk bearing is usually applied to risks that have low likelihood and low impact, or when the cost of controls outweighs the benefits. Risk bearing implies that the organization has enough resources and resilience to cope with the risks if they materialize. ISO/IEC 27001:2022 defines risk acceptance as “decision to accept risk” (see clause 3.4).

Reference: [CQI & IRCA Certified ISO/IEC 27001:2022 Lead Auditor Training Course], ISO/IEC 27001:2022 Information technology ― Security techniques ― Information security management systems ― Requirements, [What is Risk Bearing?]

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments