Risk Treatment: Accept, Transfer, Mitigate, Avoid
Evaluate the four risk treatment options and learn how to match the right response to each risk based on cost-benefit analysis.
What Is Risk Treatment?
After risks are identified and analyzed, organizations must decide what to do about them. Risk treatment is the process of selecting and implementing a response to each risk based on its likelihood, impact, and cost to remediate. There are four universally recognized treatment options: accept, transfer, mitigate, and avoid. No single option is always correct — the right choice depends on the business context, risk appetite, and available resources.
Risk Mitigation
Risk mitigation reduces the likelihood or impact of a risk by implementing security controls. This is the most common treatment option. Examples include: deploying a firewall to reduce the likelihood of network intrusion, patching software to close known vulnerabilities, or implementing MFA to reduce the impact of credential theft. Mitigation does not eliminate risk entirely — it produces residual risk, which must be reassessed after controls are applied.
# Mitigation examples
Risk : Unpatched server (CVE-2024-1234)
Treatment : MITIGATE
Controls :
- Apply security patch within 48 hours
- Enable automated patching for critical updates
- Add IPS signature to detect exploit attempts
Residual Risk : LOW (patch applied, IPS active)
Cost : $0 (patching), $8,000/year (IPS license)All lessons in this course
- Risk Identification and Risk Register
- Qualitative vs Quantitative Risk Analysis
- Risk Treatment: Accept, Transfer, Mitigate, Avoid
- NIST RMF, ISO 27001, and CIS Controls