To reduce risk impact, the best course of action is to implement corrective measures, which are actions taken to eliminate or minimize the negative effects of a risk event after it has occurred12.
Corrective measures can include restoring normal operations, repairing or replacing damaged assets, recovering lost data, compensating affected stakeholders, and implementing lessons learned12.
Corrective measures can reduce risk impact by minimizing the duration, severity, and scope of the consequences of a risk event, as well as preventing recurrence or escalation of similar risks in the future12.
The other options are not the best course of action to reduce risk impact, but rather different types of risk responses that may have different objectives and effects. For example:
Creating an IT security policy is an example of a preventive measure, which is an action taken to avoid or reduce the likelihood of a risk event before it occurs12. A preventive measure can reduce risk exposure, but not risk impact.
Implementing detective controls is an example of a monitoring measure, which is an action taken to identify and measure the occurrence or status of a risk event during or after it occurs12. A monitoring measure can provide timely information and feedback, but not reduce risk impact.
Leveraging existing technology is an example of a mitigation measure, which is an action taken to reduce the likelihood or impact of a risk event before it occurs12. A mitigation measure can reduce risk exposure, but not necessarily risk impact. References =
1: Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, July 2002
2: Project Risk Management Handbook, California Department of Transportation, June 2011
