Risk Treatment

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Jump to navigation Jump to search
1. Risk Treatment is the selection and implementation of appropriate options for dealing with risk.
BL-B-5 Click to know more
Risk Treatment as part of the ISO31000 Risk Management Framework

The options for the Risk Treatment include:


Related Terms: Risk Management, Risk Tolerance, Residual Risk.

Note (1): Risk Reduction is used as a preferred term to Risk Termination or Risk Mitigation.

Note (2): Often, there will be residual risk which cannot be removed totally as it is not cost-effective to do so, hence, the acceptance of risk.

Note (3): Risk Acceptance is sometimes referred to as Risk Tolerance.

Note (4): The highest rated risks should be addressed as a matter of urgency


BCM Institute's Professional Training and Certification


BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2B: Intermediate (BC)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2C: Intermediate (CM)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2D: Intermediate (DR)


Click to know more about expert level training

(Source: Business Continuity Management Institute - BCM Institute)

A Manager’s Guide to ISO 22301 Standard for Business Continuity Management System
Analyzing & Reviewing the Risks for Business Continuity Planning


2. Process of selecting and implementing measures to modify risk.

Notes (1) : The term “risk treatment” is sometimes used for the measures themselves.

Notes (2) : Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

(Source: ISO 22399:2007 – Societal Security - Guideline for Incident Preparedness and Operational Continuity Management) - clause 3.42


3. Process to modify risk (2.1) Notes (1) : Risk treatment can involve:
  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • taking or increasing risk to pursue an opportunity;
  • removing the risk source (2.16);
  • changing the likelihood (2.19);
  • changing the consequences (2.18);
  • sharing the risk with another party or parties (including contracts and risk financing); and
  • retaining the risk by informed decision.
Notes (2): Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention”, and “risk reduction”. Notes (3) : Risk treatment can create new risks or modify existing risks. [ISO Guide 73:2009, definition 3.8.1] (Source: ISO 31000:2009 – Risk Management — Principles and Guidelines) - clause 2.25

4. The selection and implementation of appropriate options for dealing with risk.

(Source: Singapore Standard 540 - SS 540:2008)


5. The selection and implementation of relevant options for managing risk. The key treatments include:
  • Acceptance - risks are retained by the organization
  • Avoidance - deciding not to carry on with the proposed activities due to the risk being unacceptable or finding another more acceptable alternative.
  • Reduction - reducing the likelihood and/or consequence of the risk
  • Transfer - transferring the risk in part or totality to another. Insurance is an example of risk transfer.

(Source: Business Continuity Institute - BCI)

6. A systematic process of deciding which risks can be eliminated or reduced by remedial action and which must be tolerated.

(Source: ENISA - the European Network and Information Security Agency. BCM & Resilience Glossary)

Retrieved from "https://bcmpedia.org/w/index.php?title=Risk_Treatment&oldid=36247"