Skip to content
Skip to main content
header search
ahihi OpenLearn
OpenLearn
Menu
sticky search

About this free course

Become an OU student

Download this course

Share this free course

Course content Course content
Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

2 Treatment options

Options for risk treatment can be wide ranging, from changing the consequences or probability, removing the risk source, changing plans to avoid the risk altogether or accepting the risk (and making provision for it happening). Risk treatment is an iterative process, linking with other parts of the risk management process.

The figure and table that follow will recap some key definitions on the life cycle of a risk.

Described image
Figure 2 The iterative approach to treating risk
Show description|Hide description

A flow chart that starts with a box, Is the gross risk higher than risk appetite? An arrow with no leads to Accept risk. An arrow with yes leads to a box with: Is the current risk the same as the gross risk. An arrow with no leads to a box that contains: 1. List controls, 2. record evidence controls are effective (by design and operation). Another arrow with a yes leads to a box that contains: report risk is out of appetite. This box leads to another via an arrow that contains: Develop action plan to reduce risk level. An arrow then leads to a box that contains: Is the residual risk higher than risk appetite. A yes arrow leads to a box that contains: Have all treatment options been exhausted, which then goes to a yes arrow with a box that contains: Report that risk cannot be bought within appetite. Another arrow with a no comes from the previous box that contains: Implement action plan. Another arrow comes out of this box that leads to a box containing: Adjust current risk to new level post. Action plan to implementation. Back up to the box that contains 1. List controls, 2. record evidence controls are effective (by design and operation), an arrow coming from this box leads to a box that contains: based upon the evidence is the current level of risk supported. An arrow with a yes comes out of this and leads to another box that has: Is the current risk higher than appetite. A no arrow comes from this box and leads to a box that contains: Risk mitigated to acceptable level. a yes arrow leads to the box that contains report risk is out of appetite. Back to the box that contains: based upon the evidence is the current level of risk supported, an arrow with a no against it leads to a box containing: improve performance of existing controls. An arrow from this box leads back up to the box which contains: 1. List controls, 2. record evidence controls are effective (by design and operation).

Figure 2 The iterative approach to treating risk
Described image
Figure 3 The life cycle of a risk
Show description|Hide description

A probability impact diagram chart is an X,Y chart, in this case the probability is on the Y axis, with 5 steps, very low, low, medium, high and very high. The impact is on the x axis with the same 5 steps. The chart is colour coded. With a green cell for very low / very low, yellow cells for very low / low and low / low combinations, amber for very low / medium, low / medium and medium / medium combinations, red for very low / high, low /high / medium / high and high / high combinations and dark red for very low / very high, low / very high, medium / very high, high / very high and very high / very high combinations. In this version Gross Risk (also called inherent) sits in the cell very high / very high, Current Risk sits in the cell medium / medium, Residual Risk sits in the cell low / low and Target Risk sits in the cell very low / very low. Arrows link Gross to Current, Current to Residual and Residual to Target.

Figure 3 The life cycle of a risk
Table 1 The life cycle of a risk
Type of risk assessmentDefinition
Gross (also known as Inherent)The worst case: the level of risk assuming existing measures (e.g. controls) don’t work as intended.
CurrentThe level of risk faced today. When assessing the current risk level you need to understand: What measures are already in place that reduce the level of risk? How do you know that these measure are working properly?
FutureThe level of risk you will face in the future; this is commonly referred to as the Residual and Target risk level
Residual riskThe level of risk once all risk treatments have been completed. Good practice is to only take into account treatment activities that have been fully funded and resourced, as many companies find that without funding and resource, their best laid plans don’t happen! This leads to a potential further level of risk, the target risk level. This is the level of risk you want to take and is linked to risk appetite.

So there are potentially four levels (Gross, Current, Residual, Target) of risk that you may wish to assess. Often, however, things are simpler. Consider a few examples.

  • Residual risk = Target risk. On many occasions a company will fund all of the necessary treatment activities such that the level of risk faced once all treatment activities are completed will be the same as the level of risk they would wish to take, and therefore their residual risk is the same as their target risk
  • Residual risk = Target risk = Current risk. Furthermore, once a company has completed all ‘actions’ to reduce the level of risk, they may find that their current risk level is the same as their residual risk level, which in turn is the same as their target level. Remember, it is not the case that the risk can no longer happen: rather, based on the current controls (and assuming they are working effectively), the agreed level of risk is taken.

There is one further point to highlight, which is as circumstances change so can the risk level. This could be driven by things inside an organisation, as well as factors outside the organisation, it could be that new information is found that changes our view of a risk, or that technology changes change the nature of the risk. It is for this reason that risk assessment should be regularly revisited. Many organisations ensure there are links between their risks, the audit and assurance findings and their incident management processes for precisely this reason, as this gives them clear and early notification if their risk level is changing.