To understand how large organisations treat IT Service Provider’s risks
In order to achieve this research objective, participants were asked questions about how ITSP’s risks are being treated. From the analysis, as illustrated in Figure 5-7, two sub- themes emerged. These are the adoption of risk response strategies and the factors determining the choice of response strategy.
Figure 5-7: Treatment of risks theme
5.3.4.1 Adopt risk response strategies
From the analysis of the interviews, it was understood that organisations treat ITSP’s risks by adopting appropriate risk response strategies until the risks are tolerable. These risk response strategies as explained by one of the participants are:
“…acceptance, doing nothing to the risk; remediation, to mitigate the probability of occurrence and impact of risk; transference, shifting risk to a third-party; and avoidance, keeping away from the risk...” (ExPart1)
The adoption of appropriate risk response strategies in treating risk is mentioned in most risk management studies, standards and best practices. According to ISACA (2017), H. Berg (2010) and IRM (2002), risk practitioners are required to treat risks by adopting risk response strategies, which are mitigation, acceptance, transference or avoidance. Mitigation is the use of controls to reduce the probability of occurrence or impact of risk, acceptance is doing nothing to address the risk, transference is moving risk or sharing risk with another entity, and avoidance is boycotting the event that is associated with the risk.
Further analysis showed that organisations could adopt more than one risk response strategy to treat a risk. The concept of adopting more that one risk response strategy to treat a risk is mentioned in the King III Report on Governance for South Africa (King III, 2009). It was stated in the Report that the board of directors could integrate different risk response strategies in order to ensure that risks are appropriately treated or brought to an acceptable level.
5.3.4.2 Factors determining risk response choice
From the interviews, participants identified factors that determines the choice of risk response strategies. As illustrated in Figure 5-8, choosing a risk response strategy should be determined by the outcome of the risk assessment exercise and the risk tolerance and appetite of the organisation. These sub-themes are presented below.
Figure 5-8: Factors determining risk response choice theme
Risk assessment outcome – responses from participants of this study showed that senior management relies on the outcome of the risk assessment process to decide on the risk response strategy to adopt. One of the participants expatiated on this point using a possible occurrence of a Tsunami, as an example of risk an organisation in Durban needs to assess; he explained that:
“…due to the low chances of Tsunami occurring in Durban, the organisation may decide to ignore the risk of Tsunami happening. However, because of the high impact of Tsunami they may adopt mitigating strategies from areas that have experienced [a] Tsunami before” (Expart1)
This explanation implies that organisations need to give necessary attention and adequacy to the assessment of ITSP’s risk because it determines the adoption of appropriate risk response strategies. The significance of risk assessment outcome in selecting appropriate risk response strategy is demonstrated in the studies of Panthi et al. (2007) and Alexander et al. (2006), where a risk matrix developed during the risk assessment phase is leveraged in selecting the appropriate risk response strategy. In these studies, the risk matrix is developed as a four-quadrant graph with the probability of occurrence on the y-axis and
impact of risk on the x-axis, as illustrated in Figure 3-5. According to Panthi et al. (2007) and Alexander et al. (2006), this graph could be leveraged to find the appropriate risk response by plotting each risk on the graph. Any risk that falls on the left two quadrants should be accepted, on the top-right quadrant should be avoided, on the bottom-right quadrant should be transferred, and anywhere on the mid-point of the impact axis should be mitigated.
Risk tolerance and appetite – risk tolerance is the “acceptable level of variation that management is willing to allow for any particular risk” (ISACA, 2017, p. 20) and risk appetite is the “amount of risk an entity is willing to accept in pursuit of its mission” (ISACA, 2017, p. 19). Many of the participants of this study indicated that the risk tolerance and appetite of an organisation must be considered when deciding on the risk response strategy to adopt. According to one of the participants,
“…the risk tolerance or appetite of an organisation, which could be in the form of monetary value should guide on if to accept or mitigate risk” (ExPart2)
The need to consider the risk tolerance and appetite when selecting risk response strategy
is consistent with the study of Prince 2 (2017), where project managers are recommended to consider the project appetite when selecting risk response strategy in project risk
management. As stated by Prince 2 (2017), project managers are required to be aware of how much risk could be afforded or how much loss is acceptable during the course of a project. Project managers are recommended to accept and monitor risks that are below project risk tolerance, mitigate or share risks above project risk tolerance or avoid the risk if it is way beyond the project risk tolerance level (Prince 2, 2017).