Treating Risks - Avoid, Reduce, Transfer, Accept

Treating risks - avoid, reduce, transfer, accept

Risk treatment is the third stage of the risk management cycle, after identification and assessment. Once a risk is on the register with a rating, the organisation has to decide what to do about it. The four standard treatment options - avoid, reduce, transfer, accept - cover every meaningful response. Most risks call for a combination rather than a single option.

The point of using a structured set of options is that it forces a deliberate choice. Without that structure, organisations tend to default to "reduce" by adding controls regardless of whether reduction is the most sensible response. Sometimes the right answer is to avoid the risk entirely. Sometimes it makes more sense to transfer it. Sometimes accepting a low-rated residual risk is the appropriate response. The four options give a vocabulary for that conversation.

Avoid

Avoidance means eliminating the risk by not doing the thing that creates it. The activity, product, contract or process that gives rise to the risk is stopped, declined, or replaced with an alternative that does not carry the same exposure.

Examples include declining a contract in a jurisdiction where the bribery risk is unmanageable, withdrawing from a product line where the regulatory burden has become disproportionate, or replacing a hazardous chemical with a less harmful alternative under COSHH. Each removes the risk by removing the activity.

Avoidance is often the most effective treatment because it eliminates the risk rather than just reducing it. It is also often the most costly because it removes the associated benefits along with the risk. The decision to avoid usually sits at top management level - declining business, withdrawing from a market, or stopping a product line are strategic decisions, not operational ones.

The trap with avoidance is using it for risks that the organisation cannot actually avoid. A construction firm cannot avoid working at height. A logistics firm cannot avoid driving. The avoidance option applies where the activity is genuinely optional, not where it is core to the business.

Reduce

Reduction means continuing the activity but adding controls to lower either the likelihood or the consequence (or both). This is the most commonly used treatment option because most business risks come from activities the organisation has to continue doing.

Likelihood-reduction controls aim to make the risk less likely to occur. Examples include staff training to reduce error rates, preventive maintenance to reduce equipment failure, supplier due diligence to reduce supply chain disruption, and access controls to reduce information security incidents.

Consequence-reduction controls aim to limit the impact if the risk does materialise. Examples include backups to reduce the impact of data loss, business continuity arrangements to reduce the impact of disruption, fire suppression to reduce the impact of a fire, and insurance to reduce the financial impact of a wide range of events.

Most reduction strategies combine both. A workplace hazard might be reduced by safer working procedures (likelihood) plus PPE and first aid arrangements (consequence). An information security risk might be reduced by access controls (likelihood) plus backups and incident response (consequence). The combination is usually more effective than either alone.

The principle of hierarchy of controls applies particularly to workplace hazards. Eliminate first, substitute next, then engineering controls, then administrative controls, then PPE as a last resort. The principle holds across other disciplines too - structural controls (separation of duties, automated checks, system limits) are generally more reliable than procedural controls (policies, training, manual review) because they do not depend on people remembering and applying them every time.

Transfer

Transfer means moving the financial or operational consequences of the risk to another party. The risk still exists; the organisation has arranged for someone else to bear part of the impact.

Insurance is the most common form of transfer. Property insurance, employer's liability, professional indemnity, cyber insurance and business interruption all transfer specific consequences from the organisation to the insurer in exchange for a premium. The risk of fire, theft or claim still exists; the financial consequence has been transferred.

Contractual transfer is the second main form. Indemnity clauses, limitation of liability provisions, supplier warranties and contractual penalties all shift specific consequences between parties. A construction contract may transfer the consequence of design defects to the designer, of subcontractor failure to the main contractor, and of late completion to the party causing the delay.

Outsourcing is sometimes treated as transfer, but it should be treated with care. Outsourcing the activity does not transfer regulatory accountability - the organisation usually remains accountable to its customers, regulators and the public for outcomes even when the activity is performed by another party. Data protection is a common example: a controller using a processor remains accountable for the processing.

Transfer is best used for low-likelihood, high-consequence risks where the impact would otherwise be unaffordable. It is rarely appropriate for high-likelihood operational risks because the cost of transfer (premiums, contractual concessions) tends to exceed the cost of managing the risk directly.

Accept

Acceptance means recognising the risk, deciding the residual rating is tolerable given the controls in place, and taking no further action beyond monitoring. Acceptance is a deliberate choice, not a default - the risk has been considered, the cost of further treatment has been weighed against the benefit, and the conclusion is to live with the residual position.

Acceptance is appropriate where:

The residual rating after current controls is low enough to be tolerated
The cost of further treatment exceeds the benefit it would deliver
Further reduction is not technically feasible
The activity carrying the risk is essential to the business and the residual is the best achievable position

Acceptance is not the same as ignoring. An accepted risk is documented, rated, and monitored. If circumstances change - a new control becomes feasible, the consequence increases, the likelihood rises - the acceptance decision is revisited. The register entry stays open, with the residual rating reflecting the accepted position.

Acceptance decisions should be recorded with their rationale. "Accepted - cost of further treatment exceeds expected benefit; reviewed annually" tells an auditor the decision was deliberate. An entry that simply leaves the residual rating high without explanation looks like an oversight.

Combining treatments

Most risks are not treated by a single option but by a combination. A typical strategic risk might be reduced through controls, partially transferred through insurance, and the residual position accepted because no further treatment is cost-effective.

The treatment plan for a cyber risk could combine all four:

Avoid - decline contracts requiring data handling outside acceptable jurisdictions
Reduce - access controls, training, monitoring, incident response, backups
Transfer - cyber insurance for breach response and third-party claims
Accept - the residual likelihood of a successful attack despite controls is recognised and monitored

What matters is that the combination is deliberate. Each component has been chosen because it addresses part of the risk that the others do not, and the residual position is understood and recorded.

Cost-benefit and proportionality

Treatment decisions should be proportionate to the risk. The cost of controls should be roughly in line with the reduction in risk they deliver. Spending heavily to reduce a risk that was already Tolerable wastes resources; under-spending on a risk rated Substantial leaves exposure unaddressed.

The legal phrase often used in workplace H&S is "so far as is reasonably practicable" - the balance between the risk and the cost (in money, time and effort) of reducing it. The same principle applies more broadly. Reasonably practicable does not mean cheap, and it does not mean expensive; it means proportionate.

For higher-rated risks the threshold is higher. A risk that could threaten the business should attract more investment in treatment than one whose worst case is a minor inconvenience. The residual rating drives where attention should go.

Recording treatment decisions

Treatment decisions should be recorded alongside the risk entry. The minimum is the chosen approach (or combination), the controls or actions to be put in place, the responsible owner, the timescale, and the expected residual position once the treatment is complete.

For risks where treatment requires implementation work - new controls to be introduced, equipment to be purchased, training to be rolled out - the work itself usually moves to the issues and actions register so it can be tracked through to completion. The risk register entry then references the action and updates the residual rating once the action is closed.

Treatment decisions are also a required input to management review under Clause 9.3, which expects the effectiveness of actions taken to address risks and opportunities to be evaluated. Recording the decisions clearly makes that evaluation possible.

When auditing risk treatment I want to see evidence that the choice was deliberate. Not every risk needs four columns of treatment - many are reasonably handled by a single approach - but I expect the chosen treatment to be documented and the residual rating to reflect it.

The flag for me is a register where every risk has been treated by adding controls. That tells me the organisation is defaulting to reduce rather than considering the alternatives.

The accept option is the one organisations most often misuse. Either they accept too readily because reducing further looks like work, or they refuse to accept anything because doing so feels like admitting the risk is real. Both are wrong. A well-functioning register should have a mix of treatment types and a mix of residual ratings - some accepted, some reducing, some monitored for transfer.

The other thing worth saying is that treatment decisions are not permanent. A risk that was acceptable at one residual rating may not be acceptable a year later if the consequence has increased or new controls have become feasible. Revisiting treatment is part of keeping the register live.

Avoid, reduce, transfer, accept. Four options. Use them. Most organisations can name them; fewer use them all. The discipline is in the choice, not the words.

Practical Compliance Guidance

IMS1 Section 1.6 covers risk treatment alongside identification and assessment. Treatment decisions are recorded against each risk entry on the strategic register, with implementation actions tracked through to closure on the issues and actions register.

The alphaZ documents below support the treatment workflow - the strategic register where decisions are recorded, the issues and actions register where treatment work is tracked, and the management review form where treatment effectiveness is evaluated.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1, F-IMS23 and the registers used to record and track risk treatment across multiple disciplines.
ISO 9001 Management System Toolkit	Quality-only toolkit with F-IMS23 and the issues and actions register where treatment actions are tracked.
F-IMS23 Opportunities and Risks Register	Records the chosen treatment alongside each risk entry, with controls in place, residual rating and any further action required.
ER1 Issues and Actions Register	Where treatment actions arising from the risk register are tracked through to closure with owner, target date and progress.
ER15 Information Security Risks Register	Information security register with explicit treatment columns for the four options - avoid, reduce, transfer, accept - applied to each entry.
ER16 Business Continuity Risk Register	Business continuity register applying the same treatment options to disruption risk, alongside recovery time and impact assessments.
F-Q3 Management Review	Management review form which evaluates the effectiveness of risk and opportunity treatment as a required input under Clause 9.3.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Can a single risk use more than one treatment option?

Yes - and most strategic risks do. A typical pattern is to reduce the risk through controls, transfer the residual financial consequence through insurance, and accept the position that remains. What matters is that the combination is deliberate and the residual rating reflects the position after all treatments are applied.

Does insurance transfer the risk completely?

No. Insurance transfers specific financial consequences within the policy terms. It does not transfer reputational impact, operational disruption during a claim, regulatory consequences, or anything outside the policy scope. The underlying risk continues to exist; insurance is one component of treatment, rarely the whole answer.

Is accepting a high-rated risk allowed?

Acceptance of a residual rating in the highest band is unusual and should be a top management decision. It can be appropriate where the risk is inherent to a critical business activity, all reasonably practicable controls are already in place, and further treatment is not feasible. The decision should be recorded with rationale and reviewed regularly. An auditor will probe an accepted high-rated residual; having clear reasoning ready protects both the organisation and the integrity of the register.

Does outsourcing transfer the risk?

Operationally, sometimes - the activity is performed by another party. Accountability, usually no. The organisation typically remains accountable to its customers, regulators and the law for outcomes even when the activity is delegated. Data protection, health and safety in shared workplaces, and product liability are all areas where outsourcing does not transfer accountability. Treat outsourcing as introducing a different risk profile rather than as full transfer.

How often should treatment decisions be reviewed?

Treatment is reviewed whenever the underlying risk changes - new controls become available, the consequence increases, the likelihood changes, an incident demonstrates the current treatment is inadequate - and at the formal management review. Acceptance decisions in particular benefit from regular review because what was acceptable a year ago may no longer be acceptable as circumstances change.

UK Legislation relevant to risk treatment

UK law sets specific expectations for how some categories of risk must be treated. Workplace health and safety law requires risks to be reduced "so far as is reasonably practicable", which directly informs treatment decisions for workplace hazards. Data protection requires "appropriate technical and organisational measures" - effectively a proportionality test for information security treatment. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources