Risk treatment

Category: Risk management frameworks · Reviewed by Chrissie Anderson, Client Executive · Last reviewed

Risk treatment

Risk treatment is the process of selecting and implementing options for modifying risk. ISO 31000 sets out a non-exhaustive list of treatment options, commonly summarised under the “4 Ts”:

• Tolerate (accept)
• Treat (reduce)
• Transfer (share / insure)
• Terminate (avoid)

ISO 31000:2018 itself lists seven options: avoiding the risk, taking or increasing the risk to pursue an opportunity, removing the risk source, changing likelihood, changing consequences, sharing the risk, and retaining the risk by informed decision.

Selecting a treatment

Choice depends on cost vs benefit, feasibility, secondary risks created by the treatment, regulatory constraints and the residual position required by risk appetite. For each risk, the register should record:

• The treatment selected.
• The expected residual position.
• The action owner and due date.
• The control(s) that will deliver the treatment.

Insurance as treatment

Insurance is the most visible form of risk transfer. It does not eliminate risk — it converts the loss profile from an uncertain large loss to a certain premium plus residual retentions, exclusions and counterparty credit risk.

Treatment plans

For material risks, a formal risk treatment plan is recommended (and required by ISO 31000 for high-rated risks). The plan documents the rationale, resources, responsibilities, performance measures and review dates.

References

• ISO 31000:2018, Clause 6.5.4.
• IEC 31010:2019.
• COSO (2017) ERM Framework.

Cross-references

• Risk transfer
• Risk avoidance
• Risk reduction
• Risk acceptance

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.