Risk Treatment Options and Tradeoffs

Key Concepts

After a risk is identified and assessed, the organization chooses how to treat it. The standard beginner options are mitigate, avoid, transfer, and accept. The right choice depends on business value, risk level, cost, legal duties, customer expectations, and available controls.

Mitigation reduces likelihood, impact, or both. Adding MFA reduces the likelihood that a stolen password becomes account takeover. Backups reduce the impact of ransomware or accidental deletion. Network segmentation can reduce both likelihood and impact by limiting paths and blast radius. Mitigation is the most common exam answer when the activity must continue and the risk is above tolerance.

Avoidance means stopping the risky activity. If a small nonprofit wants to store donor credit card data locally but has no business need to retain it, the safer choice may be to avoid storing card data and use a payment provider. Avoidance is not failure; it can be the best business decision when risk is high and benefit is low.

Transfer shifts some consequence to another party. Cyber insurance may transfer part of financial loss. A managed service provider may take over certain operational responsibilities. A cloud provider may handle physical data center security. Transfer does not eliminate risk, and it does not remove accountability for selecting vendors, defining contracts, monitoring performance, and meeting legal obligations. If an organization outsources payroll, it still cares whether employee data is protected.

Acceptance means knowingly living with the risk. This is reasonable when risk is low, treatment is more costly than the likely impact, or the risk is within tolerance. Acceptance should be documented and approved at the proper level. A help desk analyst should not personally accept enterprise legal risk. The business owner or risk owner must understand what remains.

Tradeoffs matter. Controls cost money, time, attention, and usability. A control that blocks work may create shadow IT or unsafe workarounds. A cheap control may not reduce the risk enough. A perfect control may be unrealistic. Security work often means choosing a proportional response.

Exam Application

Scenario example: A company allows remote access to an internal admin portal with only passwords. The portal supports critical systems. Avoidance could disable remote access, but that might break operations. Transfer does not fit well because authentication risk remains internal. Acceptance is weak because impact is high and the weakness is obvious. Mitigation is the likely answer: enforce MFA, restrict access through VPN or zero trust access, limit admin privileges, log activity, and review accounts.

Scenario example: A marketing team wants to publish a public dataset but discovers it includes customer email addresses. If the business goal can be met with aggregated or anonymized data, avoidance or mitigation may be best: remove personal data, review the dataset, and publish only what is necessary. If the team simply accepts the risk without privacy review, the decision is likely inappropriate.

Compensating controls appear when the preferred control cannot be used immediately. If a legacy system cannot support MFA, compensating controls might include network isolation, jump server access, stronger monitoring, limited accounts, shorter sessions, and a replacement deadline. A compensating control is not an excuse to keep unsafe systems forever. It is a practical temporary or alternate safeguard that reduces risk enough to operate within tolerance.

For CC scenario questions, identify whether the organization is trying to reduce, stop, shift, or knowingly keep the risk. Then check whether the choice fits the facts. The best answer is usually the one that aligns risk level with business need and accountability.