Risk Treatment

Risk elimination refers to the removal of uncertainty from a risk. The probability of occurrence is converted to either 0% (for threats) or 100% (for opportunities).

Allocation of risk ownership refers to the process of enacting contracting strategies or similar to modify exposure to a risk. This approach accepts that we will not be modifying the actual characteristics of the risk (probability or impact), but that it is possible to modify our exposure to it by sharing exposure with a third party. It is worth noting that it is rare to be able to transfer a threat entirely to another party, whether contractually or by insurance. It is usually more realistic to define the process as sharing.

For some risks, we may be able to modify the potential impact or probability of the risk occurring to mitigate or enhance its consequence. In the case of threats, an effective risk treatment would reduce the probability of the risk occurring or its impact should it occur. Conversely, in the case of an opportunity, effective risk treatments would increase the probability that the organisation could capitalise on the opportunity and/or its beneficial impacts should it occur.

To assess the efficacy of risk treatments, it is important to compare the risk exposure rating both pre and post treatment. This is often referred to as pre- and post-mitigation, even though several other treatment types are possible, as noted above.

The post-treatment risk rating is referred to as the “residual risk”. Maintaining an understanding of the pre-treatment risk assessment rating is important as it helps to understand what the exposure if risk treatment plans are not implemented or they fail to control the risk adequately.

This is a key part of Risk Management that is often under-emphasised. Effective implementation of risk treatments is crucial and may involve creation of mini-projects. Treatments may be pro-active, requiring deterministic expenditure of effort and money, or may be contingent, involving detailed planning for actions to follow immediately the occurrence of the risk is detected. Without implementation of effective treatments, Risk Management may achieve little.