After a risk assessment, what are your options for treating a risk? Give an example of each.
Short answer
You can mitigate (reduce likelihood/impact with controls), transfer (shift the financial impact via insurance or contracts), avoid (stop the risky activity entirely), or accept (knowingly tolerate the residual risk). The choice depends on risk appetite and a cost-benefit comparison against the risk's expected loss.
Once a risk is identified and analyzed, leadership must decide what to do about it. CISSP defines four treatment options, and interviewers want both the list and the judgment to choose between them.
The four options
- Mitigate (reduce) — apply controls to lower likelihood or impact. Deploying MFA to cut account-takeover risk is mitigation. This is the most common treatment, but it rarely drives risk to zero.
- Transfer (share) — shift the financial consequence to a third party, typically through cyber insurance or contractual clauses with a vendor. The risk event can still happen; you have just moved who pays. You cannot transfer reputational damage or your accountability.
- Avoid — eliminate the risk by not engaging in the activity at all, e.g. discontinuing a feature or declining to enter a market. Appropriate when the risk dwarfs the reward.
- Accept — make an informed decision to tolerate the risk, usually when the cost of treatment exceeds the expected loss. Acceptance must be deliberate, documented, and signed off by the appropriate business owner.
Residual risk
After mitigation, some residual risk always remains. The organization must consciously accept that residual risk — it is never the security team's call alone. The right person to sign is the business owner or senior management whose budget and accountability the risk touches.
Tying it to cost-benefit
The decision is economic: compare the ALE of the risk against the cost of each treatment. If a control costs more than the loss it prevents, accepting or transferring may be the rational choice. This is why treatment selection is governance, not pure engineering.
What interviewers look for
The exact four terms (mitigate, transfer, avoid, accept), a concrete example for each, the point that transfer does not erase the risk, and clarity that risk acceptance belongs to a business owner against documented residual risk.
Likely follow-ups
- Who in the organization is authorized to formally accept a risk?
- Why is transferring risk not the same as eliminating it?
- What is residual risk and when does it arise?