Risk treatment and mitigation strategy is the third step in the risk management process.
Risk treatment strategy is the way we deal with a particular risk. In other words how we respond to the risk. We can basically choose one of these four ways.
- Accept
- Mitigate
- Transfer it to someone else
- Avoid
Risk treatment is also referred to as Risk Response Planning. In this step, risk mitigation strategies, preventative care, and contingency plans are created based on the assessed value of each risk. Using a fire as an example, risk managers may choose to house additional network servers offsite, so business operations could still resume if an onsite server is damaged. The risk manager may also develop evacuation plans for employees.
Accepting the risk
Risk retention is the most common method of dealing with low ranked risks. When some positive action is not taken to avoid, reduce, or transfer the risk, the possibility of loss involved in that risk is accepted or retained. When a risk is unlikely to occur or if the impact is minimal, then accepting the risk might be the best response.
- Accepting risk means doing nothing
- The risk can be accepted, for example, if possible measures would be difficult to implement or disproportionately expensive
- In other words, you'll hope that the risk doesn't happen or that you can handle it if it happened
Avoiding the risk
Risk is avoided when the company refuses to accept it, it is accomplished by simply not engaging in any action or process that "creates" the risk. In other words company dismiss the source of the risk (process, assets)
- Example of risk avoidance: If the use of a particular device is hazardous, then do not use it. This is a negative rather than a positive technique.
Transferring the risk
Transferring risk means to transfer it to someone who is more willing to bear the risk. In other words it is outsourcing the risk to a third party that can manage it or its consequences. This is done through insurance contracts or operationally through outsourcing an activity.
- Example of risk transfer: Insurance, hedging, outsourcing
Reducing the risk
Mitigating (or control, modify, & reduce). It can be done in two basic ways: through loss prevention and control. It means to prevent the occurrence of the loss, or to control the severity of the loss if it does happen. It means to put in a live measure reducing the chance that the risk will occur or reduce the impact of the risk. The measure cannot cost more than the losses.
- Examples of risk reduction: medical care for employees, fire extinguisher, using of PPEs, burglar alarms