altogether and cease the activity that is associated with the risk.
            This may mean stopping operations in a region of the world,
            ceasing the manufacturing of an outdated product, or shutting
            down an older system.



            Implementing Risk Response

            Once the risk assessment report has been submitted, and the
            organization has a chance to review the recommendations of the
            risk assessors, the next step is to put in place a plan to respond to
            the risk. The risk assessment identifies the risk and suggests the
            priorities for risk mitigation. However, it is up to management to
            determine the gap between current levels of risk and risk
            acceptance levels. The risk assessor may recommend controls.
            Still, in the end, it is up to the senior management team to
            determine whether to accept the recommendation, implement
            even more stringent controls than were recommended, or accept
            a higher level of risk than was recommended. This is based on
            the risk culture of the organization and the risk appetite of the
            senior management team.

            Once the mitigation strategy (accept, transfer, avoid or reduce
            the risk) has been chosen, the next step is to put in place a plan
            to implement that strategy. This is where the organization must
            consider the risk priorities, available time and resources, and
            cost. The priorities for the risk response strategy may be based
            on legal requirements and compliance. The severity of the risk,
            the availability of a solution, and perhaps the implementation of
            some quick wins can show progress. Like any security program,
            the risk response plan should be based on deliverables,
            milestones, and results. The program should report back to