How to choose the best risk response strategy is an important question because the risk response strategy, when we implement it, is the thing which is actually going to manage the risk. So, until we implement a risk response strategy, all we've done is identify, analyze, and decide what we could do. And then we implement the risk response strategy, and then we manage the risk. So, we need to choose the right one. If we choose the wrong risk response strategy, then maybe we don't change the risk at all or actually, we could make things worse if we choose something completely inappropriate. And certainly, we could be wasting time and money. So, it is important to choose an appropriate risk response strategy.
Now, as a reminder, there are five threat response strategies and five opportunity response strategies. So, for threats, we can decide to avoid the threat, kill it completely, and we can transfer it, get someone else to take it away. We could reduce it, try and make it smaller, we could accept it, do nothing, monitor it with a contingency plan, or maybe, it's not ours, we can escalate it to someone else who owns the objectives that would be affected. On the opportunity side, we have matching strategies. So, we could exploit an opportunity, grab it, and capture it, make it happen. We could share it with someone else who will help us to make it happen. We could enhance it to make it bigger. We can accept it, just monitor it with a contingency plan if it happens, or if it's not ours, we escalate it to somebody else. Now, those five things happen in order.
So, the best thing to do if it's ours, if we ignore the escalate, if it's escalated, you just escalated. But if it's a big threat or a big opportunity, the best thing to do is obviously to avoid the threat and exploit the opportunity if we can. If we can't do those, the next best thing is to transfer or share, get somebody else to avoid it or exploit it for us. If we can't do those, the next best thing is to say, "Let's make the threat as small as possible and the opportunity as big as possible." And the last response we want is to accept the risk if we have to.
So, there is a priority order amongst those different strategies. Start at the top and work down. Yes, but there's something else we need to think about. Two factors, in fact. The first is cost-effectiveness. We don't want to spend a million dollars to avoid a threat which would only cost us $10,000. We don't want to spend a million dollars to capture an opportunity that only saves us $10,000. We want to do it the other way around. Spend $10,000 in order to remove the threat of a million or in order to capture the saving of a million. So, it has to be cost-effective. That means what we need to do is to measure the cost of the response and the cost of the impact and look for the highest possible ratio of change in the impact to the cost of the response.
So, I might reduce the impact of a threat from a million dollars to five hundred thousand dollars by spending ten thousand. That gives me a leverage, or leverage, so I reduce it by five hundred thousand and spend ten, so that gives me 50. Maybe I could reduce it from a million to zero by spending a hundred thousand. That will give me a leverage of 10. So, which is the better response? It's the one with the higher leverage. Okay. So, we can look at the saving or the opportunity or the removed penalty from a threat and look at the cost-effectiveness. That's one thing, yes. The other is risk effectiveness. So, the risk is not just its impact.
The risk is the probability and the impact combined. How big is the risk uncertainty? That matters. And what we want is to have an impact on the risk exposure as effective as possible. So, here, we're looking at changes in the size of the risk for the amount of money we spent. How much if we reduce the overall threat exposure or how much have we increased the potential opportunity exposure for spending this money? So, that's called risk efficiency. So, we're looking for cost-effective and risk-effective responses.
So, the first thing is to look down the list of the strategies in order. The second thing is to consider cost-effectiveness and risk-effectiveness.
"Which is the best risk response strategy in risk management? How do we choose the best one?" Yes, there may not be one. It might be best for now. But if we try that and then it doesn't work or it doesn't quite work as expected, we might want to do something later. So, maybe we choose now to avoid threats. But once we've tried to avoid it, we find we couldn't avoid it completely. Then we have to maybe choose later to try and reduce it further. And maybe then, later on, we find we can't reduce it any further. So, we have to accept it. But what we're doing is by choosing a strategy, we're deciding what actions we're going to take now to manage the risk. Okay. So, what we want is to choose the best strategy for now and recognize that there might be a better strategy later. But we'll think about that later. We're defining our actions now in order to manage the risk. So, the question is really, how do I choose the best response strategy for now? That's right. I like the whole thinking of being selective and tailoring and not just saying one-size-fits-all, "This is the best, everyone can go with it."
See also: Risk owner