Once risks have been identified, analysed, and evaulted, the appropriate risk treatment should be applied to reduce, remove, or retain each risk depending on a range of factors.
An organisaiton might choose to retain a risk if it is inevitable, unavoidable, or lies within the risk tolerance level of the business as defined earlier in the scoping of the risk management strategy. The risk tolerance and risk appetite of an organisation will have a strong impact on the risk treatment, as some may choose to retain more significant risks than others if the potential positive outcomes are worth the balance.
Risk treatment involves a range of processes, including:
- The formulation and selection of risk treatments
- The implementation of the required action for each risk
- An assessment of residual risk
- Determining further controls if the residual risk is still too high
- Assessing the effectiveness of the risk treatment in the long term.
Risk treatment options are not universal and may also change as the objectives or context of the strategy or the organisation evolve.
Types Of Risk Treatment
There are a range of risk treatment options, including but not limited to:
- Remove the risk altogether
- Change the likelihood (such as move servers to a higher floor to reduce risk of flood damage)
- Change the consequences
- Share the risk through agreements, partnerships, further insurance etc
- Retain and mitigate the risk by informed decision
It is up to the organisation to determine the balance between the benefits of retaining a risk (such as a competitive advantage) against the potential cost, adverse impact, and disadvantage of implementation.
Residual risk should be considered in all cases where a risk has been determined as essential or unavoidable. There may be several options to mitigate risk to reduce the likelihood, consequence, or severity of a risk incident, and these may flow one to another for continuous risk mitigation.
For example, an unavoidable risk could be that of fire damage to paper files. This is mitigated by filing in metal cabinets, which are mitigated further by storage in a specified room, mitigated further by the implementation of sprinklers. Alternatively, an organisation could see this risk and choose to become a paperless organisation, removing the risk of lost data held on paper – but then would have to consider back-up and storage security of digital data.
Clause 6.5.3: Preparing And Implementing Risk Treatment Plans
Once risks have been identified, evaluated, and a risk treatment course of action determined, the next step is to communicate this information to key shareholders.
A treatment plan should be concise, accurate, and deliver information in a timely and clear manner. It needs to outline the risk criteria, analysis, and treatments, and also identify who is accountable for ensuring listed controls are applied.
A good risk treatment plan will demonstrate what the risk is, how it is mitigated, who is responsible, the required timeframe for action, and reporting requirements for accountable individuals.
A risk treatment plan is useful for communicating on a broad level the current risk management strategy, the rationale behind decisions made regarding removed, mitigated, or retained risks, and how responsibility is divided. This ties in well with Clause 5.2, Leadership and Commitment, and Clause 6.2, Communication and Consultation.
These plans need to be integrated into overall business performance objectives and reviews, with full commitment from management if it is going to be continuously effective and drive improvement and efficiency across the organisation.
Next in the series: Clause 6.6 – Monitoring and Review