- Response options are brainstormed for all risks exceeding thresholds for acceptable risk.
- Each risk event is reassessed for residual risk.
- Residual expected cost values are determined for top risks.
- Costs and benefits for each response are analyzed over multiple years.
- Responses are selected based on cost-benefit analysis and IT’s capabilities to implement the projects.
- All risk response recommendations are presented formally to an appropriate Management Committee for approval