After identifying and assessing risks, the risk management process moves into the risk treatment phase. At this stage, organizations must decide how to address identified risks by selecting appropriate measures to reduce them to an acceptable level. Implementing controls—specific actions or mechanisms to manage these risks—is also a key component of effective risk treatment. This article explores the four primary risk treatment options and the types of controls that can be applied: preventive, detective, and corrective.
Four Risk Treatment Options
Risk Avoidance: Risk avoidance involves deciding not to engage in activities that generate risk. For example, an organization may choose not to enter a new market or develop a new product if the potential risks are deemed too high relative to the expected returns. This is the most conservative approach to risk treatment.
Risk Mitigation: Risk mitigation strategies aim to lessen the likelihood and/or impact of a risk. This involves implementing controls that minimize the potential for risk occurrence or mitigate its effects should it occur. An example of risk reduction could be adding safety features to machinery to prevent accidents.
Risk Transfer: Transferring risk involves shifting the responsibility or burden of risk to another party, typically through outsourcing or insurance. For instance, companies often purchase insurance to transfer the financial risk of theft or damage to their assets.
Risk Acceptance: Sometimes, the cost of mitigating a risk may outweigh the benefits gained from eliminating it. In such cases, an organization may decide to accept the risk. This decision is usually made when the risk is low and within the organization’s risk appetite. Risk acceptance often involves setting aside reserves or taking no action other than periodic monitoring of the risk.
What is a Control?
In risk management, a control is a measure or mechanism that modifies risk. Controls are designed to prevent, detect, and correct issues that may affect the achievement of an organization's objectives. Effective controls help organizations ensure operational efficiency, and compliance with laws and regulations.
Types of Controls
There are different types of controls. It is important to understand the different effects they have to ensure the selected controls have the desired effect.
Preventive Controls
Preventive controls are designed to deter unwanted events before they occur and mitigate vulnerabilities to prevent them from being exploited. They are proactive measures that help avoid potential negative outcomes.
Examples include:
Passwords and authentication systems to prevent unauthorized access.
Employee training to avoid errors and violations.
Surveillance cameras and guardsmen to deter intruders.
Detective Controls
Detective controls are implemented to identify and detect occurrences of a risk event. These controls are essential for identifying issues promptly so that corrective actions can be taken.
Examples include:
Audits and reviews that catch discrepancies.
Surveillance cameras that detect unauthorized access or activities.
Network monitoring tools that detect security breaches.
Corrective Controls
Corrective controls are measures taken to restore systems or processes back to their normal state after a risk event has occurred. These controls help mitigate the impact of an event and prevent future occurrences.
Examples include:
Disaster recovery plans that restore IT services after a cyber-attack.
Revising failed procedures or systems.
Disciplinary actions to correct employee behaviors.
Risk Monitoring
Risk monitoring is essential after identifying and treating risks because risks in an organization are always changing, and the factors that influence them can shift frequently. It’s not enough to assume that the initial controls or mitigation measures will stay effective over time. As the company’s environment, regulations, and external factors—like market changes or new technologies—evolve, they can impact the organization’s risk levels.
Risk monitoring, a key part of every risk manager’s role, involves regularly checking existing risks and spotting any new ones. This process ensures that risk treatments stay relevant, up-to-date, and effective as risks change. It also allows the risk manager to track how well risk controls are working and adjust them if needed to improve efficiency or reduce costs.
Without risk monitoring, an organization may rely on outdated controls that no longer work, leaving it vulnerable to unexpected threats. A structured, ongoing approach to risk monitoring helps the organization stay proactive, respond quickly to changes, and remain resilient. This approach ultimately strengthens the organization’s risk posture, keeping it aligned with current risks and supporting its strategic goals.
