Episode 37: Understanding Risk Treatment Options (Accept, Mitigate, Transfer, Avoid)

Welcome to The Bare Metal Cyber CRISC Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Risk treatment refers to the decisions and actions an organization takes to change its exposure to a specifiCRISC. It is not only about lowering risk, but about adjusting the risk to match what the organization is willing and able to accept. The main goal is to make sure that each risk sits within the boundaries of what the business considers acceptable. In practice, this might mean reducing the risk, avoiding it, transferring it to someone else, or accepting it outright. Sometimes, the best decision is to document the risk, monitor it, and choose not to act if the business context allows. This is especially true when the effort or cost of treating the risk would be greater than the value of doing so. Risk treatment must be based on clarity. There should be a strong understanding of what the risk is, who owns it, when action must happen, and what the result should look like. If a risk is unclear or no one is responsible for it, treatment actions may fail. You will often see exam scenarios that test whether you can correctly pair a risk with the treatment option that fits the situation best. Success on these questions comes down to understanding the details of each treatment path and knowing what conditions make one more appropriate than another.
Acceptance is a formal decision to tolerate a risk rather than treat it through controls, avoidance, or transfer. In other words, the organization chooses to leave the risk in place because it believes the impact is low or manageable. For this to be valid, the level of residual risk—the amount left after existing controls—is still within the organization's risk tolerance. Residual risk that exceeds tolerance should not be accepted unless the tolerance level has been revised by the proper governance group. For example, a business might choose to accept the risk of a brief system outage during monthly maintenance, since the impact is low and controls are already in place. Another example would be tolerating minor fraud risk on low-value transactions where the cost of controls would exceed the losses. It is important to understand that acceptance must be documented. Informal or undocumented acceptance can create audit and compliance problems. The risk should appear in the risk register, with a clear explanation of why acceptance was chosen and who approved it. Approval must come from the correct level of governance. Line managers cannot approve the acceptance of high-risk items on their own. In exam questions, look for phrases like “no further action was taken” or “leadership reviewed the situation and agreed to accept the exposure” as signs of this treatment type.
Mitigation is the most widely used treatment option because it directly lowers the level of risk by reducing either the chance that the risk will happen or the severity of its impact. This is usually done by applying controls. Controls can be preventive, to stop events from happening, detective, to find them quickly, or corrective, to limit the damage after something occurs. For instance, installing an access control system is a preventive control, while reviewing system logs is a detective control. An incident response plan that restores a compromised system would be a corrective control. The key to successful mitigation is making sure the control is appropriate to the risk. A firewall might help against external attacks, but it would not stop an internal fraud issue. Controls that are generic or not targeted to the real root of the risk are likely to fail. In some cases, mitigation might involve tuning or upgrading controls that already exist, such as making password policies stricter or updating antivirus tools. Mitigation must also consider cost, timing, and the practicality of implementation. On the exam, you may be asked to choose the control that would best reduce risk in a specific scenario. Focus on how closely the control matches the cause and nature of the risk, not just on whether the control is powerful in general.
Transfer involves shifting the financial consequences or operational responsibility for a risk to a third party. This can be done through insurance policies, service contracts, outsourcing agreements, or legal clauses that specify who bears the cost of a failure. It is important to remember that you cannot transfer the risk itself—only its effects. The organization is still ultimately accountable. For example, if you outsource payroll processing to a vendor and that vendor makes a critical error, the organization still faces reputational risk, even if financial losses are reimbursed. Insurance might pay for damages, but it does not restore lost customer trust or regulatory goodwill. Because of this, risk transfer still requires active oversight. The third party must be monitored, and the arrangement should be documented with clear performance expectations. On the exam, watch for wording that involves contracts, third-party providers, or indemnity clauses. These often point toward a transfer approach. Also be cautious not to confuse delegation of tasks with transfer. Giving someone else the job is not the same as formally transferring risk.
Avoidance is the most extreme form of treatment. It means choosing not to engage in the activity that causes the risk. The result is that the risk is removed entirely, since the source of exposure no longer exists. This option is used only when the risk is considered too high and there are no reasonable ways to control or transfer it. For example, if launching a new online service would expose the company to compliance risks it is not ready to handle, leadership might cancel the project altogether. Another example is withdrawing from a market where political or legal instability presents uncontrollable threats. Avoidance can be very disruptive, especially when it involves abandoning business opportunities, stopping large initiatives, or restructuring operations. Because of this, it should always be carefully justified and formally approved. In the exam, clues like “the initiative was canceled due to risk” or “management chose not to proceed with the project” are signals of avoidance. This option should not be confused with delay or deferral. Avoidance means permanent cancellation, not postponement.
Choosing the right treatment option involves more than knowing definitions. It requires comparing options based on cost, timing, risk appetite, and business impact. Cost is often the first factor. If treating the risk will cost more than the expected impact of the risk, acceptance might be justified. However, if the risk is severe or unpredictable, even costly treatment might be worthwhile. Risk appetite is the second factor. Each organization has limits on how much uncertainty it is willing to accept. A treatment choice must fall within these boundaries. Next comes timing. Some treatments can be applied quickly, while others take time and may not address urgent risks in time. The speed of the risk—how fast it can cause damage—should influence how fast the treatment needs to work. Stakeholder impact is also critical. A treatment that causes major disruption might not be acceptable even if it reduces risk effectively. The best option is the one that balances all these factors and supports the organization’s strategic goals. In the exam, the right answer is often the one that aligns with both business value and feasibility, not just what sounds strongest on paper.
In many cases, a single treatment method is not enough. Complex risks often affect multiple areas and need a mix of responses. This is where hybrid treatments come in. For example, a company might reduce risk by limiting access to sensitive data while also purchasing cyber insurance in case of a breach. This blends mitigation and transfer into a coordinated solution. Hybrid approaches are useful when one method alone cannot fully address the risk. These approaches must be designed carefully to make sure the parts work together and are not duplicated or in conflict. Each element of the hybrid treatment should be documented, along with how it connects to the others. Layered responses also require active monitoring to make sure all pieces remain effective. On the exam, hybrid treatments may be presented in complex scenarios with multiple risk sources. Only choose a hybrid option when the question clearly shows that a single treatment would not be enough. If the scenario is simple or focused, a single, targeted treatment is likely the better choice.
No matter which treatment option is chosen, the decision must be formally recorded. This includes adding it to the risk register or another official tracking system. The documentation should explain what the risk is, what treatment was selected, why that treatment was chosen, who is responsible, and what level of residual risk remains. Cost, timing, and monitoring plans should also be included. Governance is responsible for reviewing and approving the treatment, especially for higher-risk items. If the decision is not documented, it creates problems during audits, reviews, or compliance assessments. A missing record might look like the organization failed to act at all. The exam often includes scenarios where weak or missing documentation leads to problems. Choosing the answer that emphasizes visibility, traceability, and approval is often the correct path. Documented treatment plans are also critical for tracking performance over time and adjusting if things change.
After a treatment is applied, the risk environment continues to evolve. New threats might appear, existing controls might fail, or business conditions might change. This means that even treated risks must be watched. Monitoring is the ongoing process of checking whether a treatment is still effective. This is done through performance metrics, control testing, internal audits, or regular reviews. Triggers should be defined that prompt a re-evaluation. For example, a spike in failed login attempts might indicate a change in the threat landscape. Another example would be a shift in legal requirements that changes the risk associated with a process. The exam may describe a situation where residual risk increases and ask what should be done. In those cases, the correct answer usually involves updating or reassessing the treatment. Monitoring is what ensures that risk treatment stays relevant, effective, and aligned with current business needs.
CRISC exam questions will often use language that points clearly to a specific treatment option. For example, if a question says “the organization chose to accept the risk after review by the board,” this is a clue that acceptance is the intended answer. If the question asks what control would best reduce the likelihood of a system breach, mitigation is the appropriate treatment. When a function is outsourced to a vendor and backed by a service level agreement, the risk is being transferred. If the scenario says that a project was canceled because of excessive risk exposure, that is a signal of avoidance. The key to answering correctly is reading closely for signs about impact, control, cost, and governance. Always connect the decision back to the business context, not just the definition of the term. Some wrong answers will sound strong or popular, but they will not fit the scenario. Correct choices always align with risk tolerance, risk severity, governance approval, and the stated impact or timing. Think like a risk practitioner who must make practical, supported decisions, not just textbook ones.
Thanks for joining us for this episode of The Bare Metal Cyber CRISC Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.

Episode 37: Understanding Risk Treatment Options (Accept, Mitigate, Transfer, Avoid)
Broadcast by