Risk Treatment Plan

This guide is designed to help you understand and use the Risk Treatment feature effectively. The aim is to make managing cyber risks as straightforward and productive as possible.

Why Use Risk Treatment?

The Risk Treatment feature in SAFE's platform helps you to create, track, and manage risk treatment plans. This unified system allows you to assess and address risks across various levels, ensuring that the best possible steps are taken for risk mitigation. By using this feature, you can prioritize your actions based on cost, benefit, and return on investment (ROI).

What is Risk Treatment?

Risk Treatment within the SAFE product enables you to create customized plans to manage and mitigate risks. Key improvements include:

• Proactive risk management

• Clear ROI metrics to prioritize actions

Key Features

What-If Analysis

The What-If Analysis allows you to simulate the impact of improving or accepting certain controls on your overall cyber risk. You can explore different scenarios to understand potential outcomes before implementing changes.

Cost-Benefit Analysis and ROI

For each treatment plan, the feature provides a detailed cost-benefit analysis, highlighting the risk reduction, investment required, and the ROI. This helps you decide which plans to prioritize for maximum benefit.Example: A control improvement plan may involve investing $500,000 with an expected risk reduction of $2 million.

Treatment Plan Management

The Treatment Plan feature allows you to list and prioritize different vulnerabilities and misconfigurations based on their associated risk scores. This approach moves beyond just CVSS scores, ensuring that you address the most critical findings first.

How to Use Risk Treatment Feature?

Getting Started

1. Access the Risk Treatment Center:

   Start by navigating to the Risk Treatment Center within the SAFE product. This is your hub for managing all treatment plans.

   • Access from Within a group - Aggregate Risk: You can also access Risk Treatment Plan from What If analysis and saving those as a treatment plan.

2. Create a Risk Treatment Plan:

   • Click on 'Create a Risk Treatment Plan' to initiate a new plan.

   • The plan will appear in the Risk Treatment Center with a 'NEW' tag.

3. Configure Your Plan:

   • Input details such as Name, Type (Controls or Findings), Priority, and Action (Improve, Mitigate, Accept).

   • Set the Start and End Dates.

   • Enter Expected Cost and Expected Risk Reduction. The system will help calculate the Expected ROI.

4. Review and Modify:

   • Prioritize based on rationales like Likelihood, Loss Magnitude, and ALE (Annual Loss Expectancy).

   • Adjust plan parameters like Priority and Owner as needed.

5. Monitor Progress:

   • Use the Risk Treatment Center to track the plan's progress through status indicators such as In-progress or Overdue.

   • Utilize summary widgets for quick insights on risk acceptance, mitigation, and control improvement.

Use Cases

• Strategic Planning: Focuses on improving major controls like WAF and MFA for long-term risk reduction. Use this approach to allocate budgets effectively.

• Tactical Operations: Prioritize specific vulnerabilities for immediate action and risk mitigation.

Value Delivered

With the Risk Treatment feature, you gain:

• Enhanced Risk Management Visibility: Keep a clear view of your treatment plan's status and effectiveness.

• Proactive Risk Mitigation: Stay ahead of potential threats through informed decision-making.

• Measurable Business Impact: Demonstrate the benefit of your investments through precise ROI calculations.