Risk Treatment

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Revision as of 13:59, 10 September 2022 by Moh heng (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
1. Risk Treatment is the selection and implementation of appropriate options for dealing with risk.
BL-B-5 Click to know more
Risk Treatment as part of the ISO31000 Risk Management Framework

The options for the Risk Treatment include:


Related Terms: Risk Management, Risk Tolerance, Residual Risk.

Note (1): Risk Reduction is used as a preferred term to Risk Termination or Risk Mitigation.

Note (2): Often, there will be residual risk which cannot be removed totally as it is not cost-effective to do so, hence, the acceptance of risk.

Note (3): Risk Acceptance is sometimes referred to as Risk Tolerance.

Note (4): The highest rated risks should be addressed as a matter of urgency


BCM Institute's Professional Training and Certification


BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2B: Intermediate (BC)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2C: Intermediate (CM)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2D: Intermediate (DR)


Click to know more about expert level training

(Source: Business Continuity Management Institute - BCM Institute)

A Manager’s Guide to ISO 22301 Standard for Business Continuity Management System
Analyzing & Reviewing the Risks for Business Continuity Planning


2. Process of selecting and implementing measures to modify risk.

Notes (1) : The term “risk treatment” is sometimes used for the measures themselves.

Notes (2) : Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

(Source: ISO 22399:2007 – Societal Security - Guideline for Incident Preparedness and Operational Continuity Management) - clause 3.42


3. Process to modify risk (2.1) Notes (1) : Risk treatment can involve:
  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • taking or increasing risk to pursue an opportunity;
  • removing the risk source (2.16);
  • changing the likelihood (2.19);
  • changing the consequences (2.18);
  • sharing the risk with another party or parties (including contracts and risk financing); and
  • retaining the risk by informed decision.
Notes (2): Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention”, and “risk reduction”. Notes (3) : Risk treatment can create new risks or modify existing risks. [ISO Guide 73:2009, definition 3.8.1] (Source: ISO 31000:2009 – Risk Management — Principles and Guidelines) - clause 2.25

4. The selection and implementation of appropriate options for dealing with risk.

(Source: Singapore Standard 540 - SS 540:2008)


5. The selection and implementation of relevant options for managing risk. The key treatments include:
  • Acceptance - risks are retained by the organization
  • Avoidance - deciding not to carry on with the proposed activities due to the risk being unacceptable or finding another more acceptable alternative.
  • Reduction - reducing the likelihood and/or consequence of the risk
  • Transfer - transferring the risk in part or totality to another. Insurance is an example of risk transfer.

(Source: Business Continuity Institute - BCI)

6. A systematic process of deciding which risks can be eliminated or reduced by remedial action and which must be tolerated.

(Source: ENISA - the European Network and Information Security Agency. BCM & Resilience Glossary)