Risk Treatment and Response Options

The Four Risk Treatment Options

Once a risk is evaluated and exceeds appetite, management chooses a risk treatment (also called risk response). CISM recognizes exactly four options, and the exam tests when each fits:

The most-tested nuance: risk acceptance is a positive, documented management decision made by the risk owner with the authority to bear the consequences — not a passive failure to act. An undocumented "we'll deal with it later" is not acceptance; it is unmanaged risk.

Transfer, Cost-Justification, and Control Selection

Transfer Does Not Move Accountability

A frequent CISM trap is assuming that buying cyber insurance or outsourcing a system transfers accountability. It does not. Transfer shifts financial or operational exposure, but the enterprise remains accountable for protecting its data and meeting regulatory obligations. After a breach at an outsourced provider, the data owner is still answerable to regulators and customers.

Cost-Justifying a Control

Mitigation is only justified when the control's annual cost is less than the annual risk reduction it achieves. Reusing the prior ALE method:

• Risk reduction = ALE(before) - ALE(after control)
• Control is justified when: Risk reduction > Annual control cost

Example: a risk has an ALE of $400,000. A control costing $120,000/year reduces ALE to $150,000. Risk reduction is $250,000 > $120,000, so the control is cost-justified. The exam expects you to reject controls that cost more than the risk they remove unless a compliance mandate forces them.

Selecting Among Options — Worked Scenario

A legacy application carries high residual risk but is essential and cannot be patched. As the manager, the strongest response is usually to mitigate with compensating controls (network segmentation, enhanced monitoring) and document any remaining residual risk for formal acceptance by the business owner. Avoidance is wrong because the app is essential; pure acceptance is wrong because residual risk still exceeds appetite; and insurance alone (transfer) leaves the operational risk live. Common trap: choosing "accept the risk" when the risk owner has not formally signed off and the level still exceeds appetite.

Combining Options and Control Types

Real treatment is rarely a single option. A mature plan often mitigates to bring risk near appetite, transfers the catastrophic financial tail through insurance, and formally accepts the small residual that remains. CISM expects the manager to recognize that these combine and that the goal is to drive residual risk to within appetite at justifiable cost — not to apply one label.

Control Categories the Exam Tests

Mitigation is implemented through controls, and the exam distinguishes them along two axes:

A balanced program layers these (defense in depth) rather than relying on prevention alone, because no preventive control is perfect.

Sequencing the Decision

CISM rewards a disciplined order: (1) confirm residual risk and appetite, (2) evaluate treatment options against cost-benefit, (3) recommend a defensible response, (4) obtain the risk owner's decision, and (5) record it in the risk register with monitoring. The manager recommends; the accountable owner decides. Common trap: implementing a costly control immediately upon discovering a risk, before evaluating cheaper options or confirming the residual level actually exceeds appetite.

The treatment chosen should be proportionate, owned, documented, and re-monitored — feeding directly into the ownership and monitoring topics that close this domain.

A final tested nuance concerns timing and over-control. Implementing controls that drive residual risk far below appetite wastes resources just as surely as under-treating leaves exposure — the target is within appetite, not zero risk, because zero risk usually means zero activity. Equally, treatment that introduces new operational friction can create its own risks (a control so burdensome that staff bypass it). The manager weighs these second-order effects, reviews the treatment's effectiveness after implementation, and adjusts when the residual level or the business context shifts.

Proportionate, owned, and reviewed is the standard CISM rewards.

When multiple treatment options each appear viable on an exam item, apply this tiebreaker order: prefer the response that reduces residual risk to within appetite at the lowest justifiable cost, that the accountable owner can actually authorize, and that produces documentation and monitoring evidence. Avoidance is reserved for risks that outweigh the value of the activity; transfer suits financial tail risk but never accountability; acceptance is valid only with a formal, signed decision; and mitigation is the workhorse when the activity must continue.

Matching the option to the scenario's constraints — essential versus optional activity, cost versus benefit, owner authority — is the judgment the question is testing.