• jt

Which Risk Treatment to Choose? An 8-step Process


Eight Step Process For Selecting Risk Treatments


The following process can help identify treatments for complex risks. It can be used for a facilitated brainstorming workshop, as report headings, and stakeholder engagement.

  1. What is the risk? The risk statement must be comprehensive, leaving no room for error about what is really meant.

  2. Why is it a risk? What are the root causes and vulnerabilities? How will it impact objectives?

  3. What is/are the source/s of the risk? What are the hazards? Who or what are likely threat actors and what acts are they committing?

  4. What are the possible risk treatments? All ideas should be listed in the initial brainstorm no matter how impractical or difficult to implement.

  5. What is the best treatment (or treatments)?

  6. Why is this the best treatment/s? Does it directly address the root cause of the risk stated in question one? Is it the best solution in terms of the hierarchy of controls? Does it reduce the risk to ALARP?

  7. What action(s) must be taken to implement it? Who will be responsible? What resources will be required? How will it be measured as being completed successfully? When must/should it be completed by?

  8. What have we not thought of? Search for possible flaws in your proposed treatment, which could be exposed by a question from stakeholders. Any question the stakeholders can think of, you can think of. Develop a Q&A list of potential issues and responses.

Recent Posts

See All

The SRMBOK Maturity Model

Security Risk Management Body Of Knowledge (SRMBOK) The SRMBOK maturity model addresses the following four levels: Level 1 INITIAL Level 2 BASIC Level 3 REPEATABLE Level 4 OPTIMIZING The model also ad

©2019 by Julian Talbot