Skip to main content

Risk Treatment

Updated Jan 30, 2024 ·

Overview

Risk treatment involves deciding on the most appropriate actions based on management's risk attitude and the availability and cost of mitigation measures.

Risk Avoidance

Risk avoidance means removing the risk completely.

  • Decision to eliminate a risk entirely.
  • May involve halting specific activities.
  • Leadership decision when impact or likelihood is deemed too high.

Avoidance helps when a risk is too costly or dangerous to accept.

Risk Acceptance

Acceptance means choosing to do nothing about the risk.

  • Used when impact is small
  • Management continues business as usual
  • Includes exemptions when needed

When a company decides to accept a risk, it should be a decision based on:

  • Cost - Countermeasure costs more than potential loss.
  • Pain - The company can live with the vulnerability and threat.
  • Visibility - The company won’t be viewed as irresponsible in the industry or by stakeholders.

Risk Mitigation

Mitigation reduces the risk impact or likelihood.

  • Most commonly used treatment
  • Includes controls and policies
  • Reduces but may not eliminate risk

Mitigation ensures risks stay manageable even if they cannot be fully removed.

Risk Transference

Transference moves the risk to another party.

  • Often done through insurance
  • Another party handles financial loss
  • Used when risk is expensive to manage internally

Transference helps organizations avoid absorbing major financial losses.

Risk Rejection

Risk rejection means ignoring a risk without proper evaluation.

  • Happens when risks are dismissed
  • Often caused by lack of awareness
  • Poses major compliance problems

Rejection is dangerous because it leaves the organization exposed without preparation.

Next Steps: BIA

Once risk responses are in place, it’s important to monitor their effectiveness to ensure assets remain protected as threats evolve. The next step is conducting a Business Impact Analysis (BIA), which identifies how disruptions could affect operations.

  • Finds critical functions
  • Evaluates impact of outages
  • Supports planning for disasters or attacks

A BIA ensures the organization knows which processes need protection the most.

For more details, see Business Continuity..