Risk treatment simply means the steps we take to manage some risk. At the end of the risk assessment process, evaluation, one of the actions we can take is to treat the risk. That is do something about the risk. We have determined that the risk is not acceptable. The actions we might take to address the risk are called risk treatment.
Risk treatment process
Sometimes you can deal with a legal with a single action: settle the lawsuit, file for the permit, etc. Legal risk often requires a more elaborate, iterative approach.
We can break the risk treatment process into five steps:
- Make a list of potential responses and choose one,
- Plan how the organization will implement the option,
- Assess the effectiveness, which means can you change the risk rating as a result of the action,
- Determine if residual risk is acceptable or not, and
- If the remaining risk is not acceptable then decide what additional action you want to take.
Risk treatment options
Risk treatment is aimed at one or more parts of the risk formula. Here are some broad categories of risk treatment options.
- Avoid the risk: take action that will dodge the risk.
- Increase the risk: for positive risks, accelerate or promote the risk.
- Retain: tolerate the risk without additional investigation or investment.
- Share: use contracts or insurance to spread the risk.
- Change consequences: alter the factors contributing to the consequences such that they are acceptable.
- Change likelihood: alter the factors contributing to the likelihood such that they are acceptable.
- Remove source: identify and remove the source of the risk if possible.
For many risks, a financial calculus is sufficient to choice an approach. But some risks might implicate the culture or the values of the organization, in which case those factors should influence the choice risk treatment option.