The Risk Treatment
What is the purpose of Risk Treatment?
The risk treatment is the process of implementation of controls and measures to modify an initial level of the risks. A Risk treatment plan must be developed (or designed) according to risk evaluation criteria. The plan should identify the risks ordered by priority according to which individual risk treatment will be implemented.
The possible types of risk treatment are:
- Risk modification
- Risk retention
- Risk avoidance
- Risk sharing
The organization should define the criteria for acceptable risk levels and, based on them, should draw a risk treatment plan to reduce all the risks to the organization’s defined acceptable risk levels. After defining the risk treatment plan, the organization must record the residual risks based on the output of the risk treatment. Then, the residual risks must be reassessed and subject to the acceptance decision. Sometimes organizations can decide several options for a treatment, such as – mitigate the likelihood of a risk occurrence and share the residual risk with another party or organization. It is often the case that the implementation of certain controls will address more than one risk.
The low level risks can be accepted by the organization and may not require any action. The significant and high level risks almost always need to be managed. The organization must assess the cost of implementation of mitigating controls and compare it to the possible losses in case of a risk occurrence.
According to the risk management and acceptance criteria, control decisions must be implemented to prevent the risk occurrence possibility or reduce its impact. There are different types of controls which can modify the risk:
During the control selection phase it is important to weigh the cost of acquisition, implementation, administration, operation, monitoring, and maintenance of the controls against the value of the assets being protected. Furthermore, the return on investment in terms of risk reduction and potential to exploit new business opportunities afforded by certain controls should be considered. Managers should try to identify a solution that satisfies performance requirements while guaranteeing sufficient information security. The result of this step is a list of possible controls, with their costs, benefits, and priority of implementation.
According to risk evaluation some risks can be retained without any further actions. The reason of retaining the risk could be the low likelihood of the risk occurrence or the low impact on the organization as well as the evaluation of cost effectiveness of controls which can modify the risk.
Risk avoidance is the situation when an Organization withdraws from a planned or ongoing activity to not give the risk an opportunity to arise. The major considerations for such a decision are the risk’s high impact on the organization and the high costs of risk treatment options.
The risk can be shared with an external party which can manage that risk more effectively than the organization itself. The most appropriate parties for the risk sharing are insurance companies or professional bodies in a specific area of expertise. Risk sharing will create new risks itself which must be assessed and treated as well.
Regardless of the ways the risks are treated, the residual risks and the effectiveness of implemented controls must always be monitored and reassessed if necessary.