ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
ACP 122 (F) - Multilateral Planners Conference
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
UNCLASSIFIED<br />
<strong>ACP</strong> <strong>122</strong>(F)<br />
a. Tolerate - acknowledge liability for the costs if the risk should be realized,<br />
b. Terminate - abandon the activity or function which causes the risk,<br />
c. Transfer - make it another agency’s responsibility, e.g., an outsourcing partner or<br />
an insurance company, and<br />
d. Treat - implement counter-measures to limit the likelihood and/or impact of the<br />
risk.<br />
METHODOLOGY<br />
310. Rather than developing a unique common methodology for risk management, national<br />
standards will be adopted for risk management in combined operations. This approach facilitates<br />
the nations' compliance with standards, and promotes enforcement of standards. For combined<br />
systems, the relevant Designated Approval Authority(s) (DAA) will make the decision regarding<br />
what constitutes an acceptable risk.<br />
COUNTER-MEASURES<br />
311. Those risks that cannot be accepted, transferred or avoided must be reduced by countermeasures.<br />
There are many types of counter-measure, which operate in one of the following<br />
arenas:<br />
a. Physical (e.g., a perimeter fence),<br />
b. Procedural (e.g., having an authorisation form signed by an appropriate person<br />
before a new user account is set up),<br />
c. Personnel (e.g., security clearances required for system administrators and users,<br />
user training), and<br />
d. Technical (e.g., use of an evaluated password mechanism).<br />
312. Counter-measures are an actual cost, set against the potentially greater cost of the<br />
realized risk. That actual cost might be financial (e.g., the purchase, maintenance and licensing<br />
cost of a software package, or the personnel costs of an increased security force) or operational<br />
(e.g., slowing down information exchange between combatants by imposing a ‘second authorised<br />
signature’ rule for information release). The costs must be identified and recorded if properly<br />
informed risk management decisions are to be made.<br />
3-3 Original<br />
UNCLASSIFIED