Identifying and rating risks is diagnosis. Treatment is medicine. And an odd thing happens at this transition in many organizations: energy evaporates. The workshop was lively, the matrix is colorful — and six months later, the treatment column still says "TBD."
Part of the problem is that treatment feels open-ended, as if every risk demands a bespoke solution. It doesn't. Every risk response ever devised falls into one of four strategies. Once you see them clearly, treatment becomes a multiple-choice question — and much easier to actually finish.
Strategy 1: Avoid — don't play the game
Avoidance means eliminating the risk by eliminating the activity that creates it. Don't enter the market with the unstable regulatory regime. Don't store the sensitive data you don't strictly need. Retire the legacy system instead of patching it for another year.
Avoidance is the only strategy that takes a risk to zero, and it's underused — partly because it feels like defeat, and partly because nobody's job description includes proposing that the company stop doing something. But some of the best risk decisions in business history were avoidance decisions: products not launched, acquisitions not made, features deliberately not built.
The discipline: for every red-zone risk, at least ask the question "could we simply not do this — or do it differently enough that the risk disappears?" Usually the answer is no, the activity is core. But when the answer is yes, avoidance is free safety.
The trap: avoidance has a shadow cost, the value of the foregone activity. Avoiding all risk means avoiding all opportunity. Use it surgically, not as a reflex.
Strategy 2: Reduce — shrink the odds, the damage, or both
Reduction (also called mitigation) is the workhorse strategy — most treatments in most registers are reductions. The key insight is that you can attack either axis of the matrix, and the best treatments attack both.
Reducing likelihood means making the event rarer: staff training, quality gates, redundant suppliers, patch management, four-eyes principles, preventive maintenance. These are your firewalls, literal and figurative.
Reducing impact means making the event survivable: backups, incident response plans, insurance deductible structures, contractual liability caps, crisis communication playbooks, business continuity arrangements. These accept that the event may happen and ensure it hurts less.
The two are not interchangeable, and mature treatment plans usually pair them. Consider ransomware: awareness training and email filtering reduce likelihood; offline backups and a rehearsed recovery plan reduce impact. Either alone leaves you exposed — likelihood controls fail eventually, and impact controls unused are expensive if the event never comes. Together they move a risk diagonally across the matrix, which is exactly the movement you want.
One quality bar for reductions: they must be verifiable. "Increase awareness" is not a control; "quarterly phishing simulation with follow-up training for click-throughs, results reported to the security board" is. If you can't check whether a measure is operating, assume it isn't.
Strategy 3: Transfer — make it someone else's problem (partly)
Transfer (the ISO term is sharing) hands part of the risk to a party better equipped to carry it. The classic instrument is insurance: you trade a certain small loss (the premium) for protection against an uncertain large one. Other forms are just as common: contractual clauses that shift liability to suppliers, outsourcing to specialists, joint ventures that split exposure, payment providers who carry fraud risk.
Transfer is powerful and routinely misunderstood in one crucial way: you can transfer the financial consequence, but rarely the whole risk. If your cloud provider fails, the SLA credits arrive — but it's still your customers who couldn't order, your reputation in the headlines, your regulator asking questions. Insurance pays for the breach; it doesn't un-breach the data.
So treat transfer as an impact reducer, not an eliminator. And read the boundaries: every insurance policy has exclusions, every SLA has caps, and the gap between what you think is covered and what is actually covered is itself a risk worth putting in the register. More than one organization has discovered its cyber policy's fine print only during the incident it was bought for.
Strategy 4: Accept — with eyes open
Some risks you simply carry. The likelihood is low, the impact bearable, and every available treatment costs more than the exposure justifies. Acceptance is the correct strategy for the whole green zone of your matrix and, after treatment, for the residual portion of nearly every other risk.
The single word that separates professional acceptance from negligence: documented. Accepted risks need a named acceptor with the authority to accept at that level, a written rationale, and a review date — because the risk you rightly accepted in 2024 may look very different after your business has doubled.
What acceptance must never be is the default that happens when nobody does anything. Undocumented acceptance is just ignorance with better posture. The register makes the difference visible: "accepted by COO on 12.03, rationale attached, review in Q1" versus a blank cell.
Choosing: the economics of treatment
With four options on the table, selection is an economic question: does the treatment cost less than the risk reduction is worth?
You don't need precision for this — rough numbers expose the answer quickly. A risk with an estimated expected loss of CHF 20k per year doesn't justify a CHF 150k control with CHF 30k annual maintenance. It might justify a CHF 15k insurance premium, or acceptance.
Three practical rules sharpen the choice. Treat the red zone first — urgency follows the matrix. Prefer treatments that address several risks at once — good backup infrastructure mitigates ransomware, hardware failure, human error, and natural disaster simultaneously, which quietly makes it far cheaper than it looks. And beware the over-treatment trap: gold-plating minor risks while red risks wait is the most common resource misallocation in the field, usually because minor risks are easier to fix.
The part everyone skips: follow-through
A treatment decision is not a treatment. The register entry needs an owner (one name, not a department), a deadline, and a status that someone actually checks. And once implemented, the risk gets re-assessed: did the residual rating land where we expected?
That closing of the loop — decide, implement, verify, re-rate — is what separates organizations that manage risk from organizations that document it. The four strategies give you the vocabulary. The follow-through gives you the results.