Difference between revisions of "Risk Treatment"

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Jump to navigation Jump to search
Line 14: Line 14:
 
*[[Risk Acceptance]]
 
*[[Risk Acceptance]]
  
Related Terms: [[Risk Management]], [[Risk Tolerance]], [[Residual Risk]].
+
'''Related Terms''': [[Risk Management]], [[Risk Tolerance]], [[Residual Risk]].
  
 
'''Note (1)''':  [[Risk Reduction]] is used as a preferred term to Risk Termination or [[Risk Mitigation]].   
 
'''Note (1)''':  [[Risk Reduction]] is used as a preferred term to Risk Termination or [[Risk Mitigation]].   

Revision as of 12:40, 29 October 2020

1. Risk Treatment is the selection and implementation of appropriate options for dealing with risk.
Analysing And Reviewing The Risks For Business Continuity Planning BUY!
Risk Treatment as part of the ISO31000 Risk Management Framework

The options for the Risk Treatment includes :


Related Terms: Risk Management, Risk Tolerance, Residual Risk.

Note (1): Risk Reduction is used as a preferred term to Risk Termination or Risk Mitigation.

Note (2): Often, there will be residual risk which cannot be removed totally as it is not cost-effective to do so, hence, the acceptance of risk.

Note (3): Risk Acceptance is sometimes referred to as Risk Tolerance.

Note (4): The highest rated risks should be addressed as a matter of urgency




BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2B: Intermediate (BC)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2C: Intermediate (CM)



BCMBoK Competency Level
BCMBoK 2: Risk Analysis & Review CL 2D: Intermediate (DR)


(Source: Business Continuity Management Institute - BCM Institute)


2. Process of selection and implementation of measures to modify risk.

Notes (1) : The term “risk treatment” is sometimes used for the measures themselves.

Notes (2) : Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

(Source: ISO 22399:2007 – Societal Security - Guideline for Incident Preparedness and Operational Continuity Management) - clause 3.42


3. Process to modify risk (2.1) Notes (1) : Risk treatment can involve:
  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
  • taking or increasing risk in order to pursue an opportunity;
  • removing the risk source (2.16);
  • changing the likelihood (2.19);
  • changing the consequences (2.18);
  • sharing the risk with another party or parties (including contracts and risk financing); and
  • retaining the risk by informed decision.
Notes (2): Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”. Notes (3) : Risk treatment can create new risks or modify existing risks. [ISO Guide 73:2009, definition 3.8.1] (Source: ISO 31000:2009 – Risk Management — Principles and Guidelines) - clause 2.25

4. The selection and implementation of appropriate options for dealing with risk.

(Source: Singapore Standard 540 - SS 540:2008)


5. The selection and implementation of relevant options for managing risk. The key treatments include:
  • Acceptance - risks are retained by the organization
  • Avoidance - deciding not to carry on with the proposed activities due to the risk being unacceptable or finding another alternative that is more acceptable.
  • Reduction - reducing the likelihood and/or consequence of the risk
  • Transfer - transferring the risk in part or in totality to another. Insurance is an example of risk transfer.

(Source: Business Continuity Institute - BCI)

6. A systematic process of deciding which risks can be eliminated or reduced by remedial action and which must be tolerated.

(Source: ENISA - the European Network and Information Security Agency. BCM & Resilience Glossary)