ISO 31000: Developing your risk treatment strategy
03 May 2017
Once risks have been identified, analysed, and evaluated, developing your risk treatment strategy is the next step in working towards your ISO 31000 risk framework.
An appropriate risk treatment should be applied to reduce, remove, or retain each risk depending on a range of factors. Your organisation might choose to retain a risk if it is inevitable, unavoidable, or lies within the accepted risk tolerance level.
The risk tolerance and risk appetite of an organisation will have a strong impact on the risk treatment plans, as some may choose to retain more significant risks than others if the potential positive outcomes are worth the balance.
Risk treatment involves a range of processes, including:
- The formulation and selection of risk treatments
- The implementation of the required action for each risk
- An assessment of residual risk
- Determining further controls if the residual risk is still too high
- Assessing the effectiveness of the risk treatment in the long term.
Risk treatment options are not universal and may also change as the objectives or context of the strategy or the organisation evolve.
Types of risk treatment
The different types of risk treatment might include:
- Remove the risk altogether
- Change the likelihood (such as move servers to a higher floor to reduce risk of flood damage)
- Change the consequences
- Share the risk through agreements, partnerships, further insurance etc
- Retain and mitigate the risk by informed decision
It is up to the organisation to determine the balance between the benefits of retaining a risk (such as a competitive advantage) against the potential cost, adverse impact, and disadvantage of implementation.
ISO 31000 defines a control as any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented.
Two basic types of control
Preventive Controls prevent undesirable events from occurring. For example, stopping unauthorised access of sensitive information by ensuring the system has controlled access. Detective controls on the other hand seek out undesirable events after they have happened. This could be through a scheduled review or reconciliation of data, for example.
What are Control Measures?
Control measures are designed to eliminate the defined risk. They might work to substitute it with a lesser risk, isolate it or use administrative controls to mitigate the risk.
Residual risk should be considered in all cases where a risk has been determined as essential or unavoidable. There may be several options to mitigate risk to reduce the likelihood, consequence, or severity of a risk incident, and these may flow from one to another for continuous risk mitigation.
For example, an unavoidable risk could be fire damage to paper files. This is mitigated by filing in metal cabinets, which are mitigated further by storage in a specified room, and so forth. Alternatively, an organisation could see this risk and choose to become a paperless organisation, removing the risk of lost data held on paper. In this case, they would also have to consider the back-up and security of digital data, using a solution such as Ideagen’s Q-Pulse.
Clause 6.5.3: Preparing And Implementing Risk Treatment Plans
Once risks have been identified, evaluated, and a risk treatment course of action determined, the next step is to communicate this information to key shareholders.
A treatment plan should be concise, accurate, and deliver information in a timely and clear manner. It needs to outline the risk criteria, analysis, and treatments, and identify who is accountable for ensuring listed controls are applied. A good risk treatment plan will demonstrate:
- What the risk is
- How it is mitigated
- Who is responsible for it
- The required timeframe for action
- The reporting requirements for accountable individuals
A risk treatment plan is useful for communicating on a broad level what the current risk management strategy is. It will demonstrate the rationale behind decisions made regarding removed, mitigated, or retained risks, and how responsibility is divided. This ties in well with Clause 5.2, which focused on Leadership and Commitment , and Clause 6.2 on Communication and Consultation .
A risk treatment strategy needs to be integrated into the overall business performance objectives and reviews. There should be full commitment from management if it is going to be continuously effective and drive improvement and efficiency across the organisation. Discover how our risk management system can help you comply with ISO 31000.