Risk Treatment — Strategies & Mitigation

Key Takeaways

  • Risk treatment strategies are avoid, assume/accept, transfer, spread (diversify), and mitigate/reduce.
  • Cost-benefit analysis compares countermeasure cost against the loss it prevents; a countermeasure is justified only when its risk reduction exceeds its annualized cost.
  • Mitigation techniques fall into four categories: technology, personnel, process (procedural), and facility design — layered together for defense-in-depth.
  • Risk transfer shifts financial consequence to a third party (e.g., insurance or contractual indemnification) while the underlying exposure often remains with the organization.
  • Ongoing data collection and trend analysis determine whether a chosen treatment is still working and feed back into the continuous-improvement cycle.
Last updated: July 2026

From Assessment to Treatment

Once a threat has been identified and rated (Section 1.5), the security manager must decide what to do about it. This decision point is risk treatment — also called risk response — selecting and implementing a strategy that brings residual risk down to a level the organization can tolerate, at a cost it is willing to bear.

Cost-Benefit Analysis

Every treatment decision must be justified through cost-benefit analysis: comparing the cost of a proposed countermeasure against the value of the loss it is expected to prevent. In quantitative terms, this often uses Annualized Loss Expectancy — Single Loss Expectancy multiplied by the Annualized Rate of Occurrence — as the "before" baseline, then compares it to the Annualized Loss Expectancy after the countermeasure is deployed, plus the countermeasure's own annualized cost. A countermeasure is economically justified only when it reduces loss exposure by more than it costs to implement and maintain. This same discipline also drives the return-on-investment and total-cost-of-ownership calculations a CPP must be able to present to executive leadership and finance stakeholders, building on the budgeting principles taught in Chapter 2.

The Risk Treatment Strategies

The CPP Body of Knowledge organizes risk treatment into a defined set of strategies:

StrategyDefinitionExample
AvoidEliminate the risk entirely by not engaging in the activity or removing the exposureDeclining to open a retail location in a high-crime area; discontinuing a hazardous product line
Assume / acceptRetain the risk because it is low-probability, difficult to protect against, or the cost of treatment exceeds the potential lossSelf-insuring against minor equipment theft rather than adding a guard post
TransferShift the financial consequence of the risk to a third party while ownership of the underlying exposure often remainsPurchasing insurance; contractual hold-harmless and indemnification clauses; outsourcing a hazardous function to a vendor
Spread (diversify)Reduce the impact of any single loss event by distributing the asset or function across multiple locations or redundant systemsGeographically separated data backups; redundant power feeds; splitting inventory across multiple warehouses
Mitigate / reduceLower the likelihood or severity of the risk through countermeasures, without eliminating the underlying exposureInstalling access control, CCTV, or additional lighting; adding a second security officer post

Mitigate/reduce is frequently tested as a distinct fifth strategy alongside the four classic risk-financing strategies of avoid, assume, transfer, and spread, because it is the strategy security countermeasures most directly implement. Most physical, personnel, and technology security programs exist to mitigate risk that cannot be economically avoided, transferred, or spread.

Mitigation Techniques

When mitigation is selected, the CPP has four broad categories of countermeasure available, and effective programs typically blend more than one:

  • Technology — access control systems, intrusion detection, CCTV and video analytics, alarms, and cyber controls.
  • Personnel — security officers, receptionists and guards trained in observation and reporting, investigators.
  • Process (procedural) — policies, standard operating procedures, visitor management protocols, incident-reporting workflows.
  • Facility design — Crime Prevention Through Environmental Design, barriers, lighting, and layout that discourages or delays an adversary, detailed further in Chapter 5.

No single category is sufficient alone. The layered, or defense-in-depth, application of technology, personnel, process, and design together is what the exam expects a CPP-level candidate to recommend, rather than a single-point fix.

Data Collection and Trend Analysis

Risk treatment is not a one-time decision. A mature program continuously collects data — incident reports, near-miss logs, access-control exceptions, and post-incident reviews — and performs trend analysis to determine whether a treatment is working, whether ratings have shifted, and whether the strategy should be revisited. Trend analysis also supports benchmarking against industry peers and feeds back into the continuous-improvement cycle described in Section 1.3, closing the loop between assessment, treatment, and re-assessment that defines Enterprise Security Risk Management.

Choosing Among the Strategies

In practice, most risks are treated with a combination rather than a single pure strategy: an organization might mitigate a risk down to a residual level with access control and guard patrols, transfer the remaining residual exposure through insurance, and accept whatever small residual risk is left after both are applied. The exam rewards candidates who can identify which strategy, or combination, best fits a given cost-benefit scenario rather than defaulting to the most technology-intensive option.

Common Selection Errors

Two mistakes recur on the exam and in practice. The first is treating "accept" as the default when a countermeasure simply seems expensive, without running the cost-benefit comparison — acceptance should be a deliberate, documented decision, not a fallback for avoiding budget conversations. The second is over-mitigating a low-criticality risk because a vendor or internal champion favors a particular technology, wasting budget that could treat a higher-priority risk elsewhere on the matrix built in Section 1.5. A defensible treatment plan always ties the chosen strategy back to the specific likelihood and criticality rating the risk received, and to a documented cost-benefit comparison.

Presenting Treatment Decisions to Leadership

Because most treatment decisions require budget approval, the CPP must present the cost-benefit case in terms executive leadership and finance stakeholders use: expected annual loss before and after the countermeasure, the countermeasure's total annualized cost including maintenance and staffing, and the resulting risk reduction expressed in dollars, not just qualitative terms such as "safer." Framing recommendations this way — the same discipline applied to budgeting in Chapter 2 — distinguishes a security program that competes successfully for resources from one treated as a pure cost center.

Test Your Knowledge

A security manager decides to purchase an insurance policy covering fire losses at a warehouse rather than fund a full sprinkler-system retrofit. Which risk treatment strategy is being applied?

A
B
C
D
Test Your Knowledge

Which risk treatment strategy involves separating critical data backups across geographically distant facilities so that a single incident cannot destroy all copies?

A
B
C
D