ISO 31000: Developing your risk treatment strategy (Part #8)

Once risks have been identified, analysed, and evaluated, the appropriate risk treatment should be applied to reduce, remove, or retain each risk depending on a range of factors.

Your organisation might choose to retain a risk if it is inevitable, unavoidable, or lies within the accepted risk tolerance level. 

The risk tolerance and risk appetite of an organisation will have a strong impact on the risk treatment, as some may choose to retain more significant risks than others if the potential positive outcomes are worth the balance.

Risk treatment involves a range of processes, including:

  • The formulation and selection of risk treatments
  • The implementation of the required action for each risk
  • An assessment of residual risk
  • Determining further controls if the residual risk is still too high
  • Assessing the effectiveness of the risk treatment in the long term.

Risk treatment options are not universal and may also change as the objectives or context of the strategy or the organisation evolve.




Types of risk treatment

There are a range of risk treatment options, including but not limited to:

  • Remove the risk altogether
  • Change the likelihood (such as move servers to a higher floor to reduce risk of flood damage)
  • Change the consequences
  • Share the risk through agreements, partnerships, further insurance etc
  • Retain and mitigate the risk by informed decision

It is up to the organisation to determine the balance between the benefits of retaining a risk (such as a competitive advantage) against the potential cost, adverse impact, and disadvantage of implementation.


Risk controls:

ISO 31000 defines a control as a any measure or action that modifies risk.

Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk.

Risk treatments become controls, or modify existing controls, once they have been implemented.

Two basic types of control

Preventive Controls Prevent undesirable events from occurring Facilitate desirable events n System controls preventing unauthorized access n Restrictions of user overrides n Segregation of duties n Dual entry of sensitive managerial transactions Detective Controls Identify/Detect undesirable events n Exception reports, management review and action taken on the exceptions

What are Control Measures?

Eliminate the risk. substitute the risk with a lesser risk, isolate the risk or use administrative controls.

Residual risk should be considered in all cases where a risk has been determined as essential or unavoidable. There may be several options to mitigate risk to reduce the likelihood, consequence, or severity of a risk incident, and these may flow one to another for continuous risk mitigation.

For example, an unavoidable risk could be that of fire damage to paper files. This is mitigated by filing in metal cabinets, which are mitigated further by storage in a specified room, mitigated further by the implementation of sprinklers. Alternatively, an organisation could see this risk and choose to become a paperless organisation, removing the risk of lost data held on paper – but then would have to consider back-up and storage security of digital data.

Clause 6.5.3: Preparing And Implementing Risk Treatment Plans

Once risks have been identified, evaluated, and a risk treatment course of action determined, the next step is to communicate this information to key shareholders.

A treatment plan should be concise, accurate, and deliver information in a timely and clear manner. It needs to outline the risk criteria, analysis, and treatments, and also identify who is accountable for ensuring listed controls are applied.

A good risk treatment plan will demonstrate what the risk is, how it is mitigated, who is responsible, the required time-frame for action, and reporting requirements for accountable individuals.

A risk treatment plan is useful for communicating on a broad level the current risk management strategy, the rationale behind decisions made regarding removed, mitigated, or retained risks, and how responsibility is divided. This ties in well with Clause 5.2, Leadership and Commitment, and Clause 6.2, Communication and Consultation.

These plans need to be integrated into overall business performance objectives and reviews, with full commitment from management if it is going to be continuously effective and drive improvement and efficiency across the organisation.

Next in the series: Clause 6.6 – monitoring and review

New Call-to-action

Topics: ISO 31000

Share your thoughts on this article