Risk Treatment

Risk Treatment is making decisions about the best actions to take regarding the identified and prioritized risk. There are four types outlined below:

  • Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.
  • Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.
  • Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place. 
  • Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.

I’m posting this because it is a concept that I have in the past been confused on. For example, mitigation and transference can be confused in the following way. If someone buys software as a decision are they transferring the risk to the manufacture of the software? No, this is an example if mitigation, because no other outside party has taken responsibility.

I also think that risk avoidance should just be called risk elimination. To me avoidance sounds a lot like taking no action, which is actually risk acceptance. Very strange way to think about it!