Risk Management is not only about Reducing Risk
It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement controls or take other actions to reduce that risk.
Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more - except for a periodic or trigger based revisiting of the assessment. However, a big part of the more successful risk & security programs is to never stop there. In fact, achieving the right risk level is merely the very beginning of a more worthwhile journey that improves the way that risks are mitigated. In other words, keep risk flat but improve the efficiency of the controls that mitigate the risk - across multiple dimensions:
Customer experience. Deliver the same risk level but improve the usability of controls - including reducing friction for the customer to sign-up for services or new features. This typically applies in relation to authentication, authorization and fraud prevention.
Cost. Reduce the cost to sustain or upgrade controls and to direct those savings to other improvements - or to other risks where there is still a need to more actively implement new controls to reduce risk.
Efficiency. Optimize the arrangement of controls, or indeed reduce the number of controls implemented for each specific risk, being careful not to impact defense in depth.
Ease of continuous monitoring. Replace controls that are not amenable to continuous performance monitoring, or that don’t emit the right metrics, with ones that do.
Automation. Replace any manual activities progressively with automation to reduce the administrative or other maintenance load.
Adjacent benefits. Develop adjacent benefits for existing controls such as having security logging capture and synthesize more data to assist with performance monitoring, or enhance distributed recovery to not only improve resilience but to increase change windows.
Reduced negative externalities. Enhance controls to reduce impact on other risks, such as improving any trade-offs made between security, resilience and/or performance.
Bottom line : A true mark of a commercially-oriented security program is to be perpetually optimizing control performance even after risk has been reduced to the right levels.