Risk Treatment Options and Tradeoffs

Key Concepts

Once a risk is identified and assessed, the organization chooses a treatment. CC tests four options: mitigate (reduce), avoid (eliminate), transfer (share), and accept (retain). The right choice depends on business value, risk level, cost, legal duty, customer expectations, and the controls actually available.

Mitigation reduces likelihood, impact, or both. MFA cuts the likelihood that a stolen password becomes account takeover. Backups cut the impact of ransomware or accidental deletion. Network segmentation cuts both — fewer attack paths and a smaller blast radius. Mitigation is the most common keyed answer when the activity must continue and the risk is above tolerance.

Avoidance stops the risky activity entirely. A nonprofit that wants to store donor card data locally, but has no business need to retain it, should avoid storing card data and route payments through a Payment Card Industry (PCI)-compliant provider. Avoidance is not failure; it is the right call when risk is high and benefit is low.

Transfer shares the consequence with another party. Cyber insurance shifts part of the financial loss. A managed service provider takes on certain operational duties. A cloud provider handles physical data-center security under a shared-responsibility model. Transfer never eliminates the risk and never removes accountability for vendor selection, contract terms, oversight, and legal obligations. Outsource payroll and you still answer for protecting employee data.

Acceptance means knowingly retaining the risk — reasonable when risk is low, when treatment costs more than the likely loss, or when the risk is already within tolerance. It must be documented and approved at the proper level. A help-desk analyst cannot accept enterprise legal risk; the business or risk owner must.

Tradeoffs are real. Controls cost money, time, attention, and usability. A control that blocks legitimate work breeds shadow IT and unsafe workarounds. A cheap control may not reduce risk enough; a perfect control may be unrealistic. Security usually means a proportional response, not a maximal one.

Exam Application

Scenario: a company exposes an internal admin portal for critical systems over the internet with passwords only. Avoidance (disable remote access) might break operations. Transfer fits poorly because the authentication risk is internal. Acceptance is weak because impact is high and the weakness is obvious. Mitigation is the likely answer: enforce MFA, gate access behind VPN or zero-trust access, apply least privilege to admin accounts, log activity, and review accounts.

Scenario: a marketing team wants to publish a public dataset that turns out to include customer email addresses. If the business goal can be met with aggregated or anonymized data, mitigation or avoidance wins: strip personal data, review the file, publish only what is necessary. Simply accepting the risk with no privacy review is inappropriate.

Compensating controls appear when the preferred control is not feasible yet. If a legacy system cannot support MFA, compensating controls may include network isolation, access only through a monitored jump host, fewer privileged accounts, shorter sessions, daily log review, a documented exception, and a hard retirement date. A compensating control is a practical interim safeguard that brings residual risk inside tolerance — not a license to run an unsafe system forever.

For CC items, decide whether the organization wants to reduce, stop, share, or knowingly keep the risk, then check the choice against the facts. The best answer aligns the risk level with the business need and assigns accountability to the right owner. Watch for distractors that name "detection" or "prevention" as if they were treatment categories — the four treatments are mitigate, avoid, transfer, and accept.

Decision heuristics that resolve most CC treatment questions. Use these in order:

1. Does the business need the activity? If no, avoid is usually best (stop or remove it).
2. Is the activity needed but risk above tolerance? Mitigate with proportional controls.
3. Is the consequence mostly financial or operationally specialized, and a third party can carry it better? Consider transfer — but keep oversight.
4. Is the risk already within tolerance and cheap to monitor? Accept with documented sign-off.

These options are not mutually exclusive. A realistic program often combines them: mitigate the bulk of a cloud-data risk with encryption, MFA, and monitoring; transfer part of the residual financial exposure to cyber insurance; and accept the small remaining risk with leadership sign-off. CC items sometimes reward recognizing that a single risk receives a blend of treatments rather than one pure choice.

Common traps to memorize. Transfer never moves accountability — outsourcing or insuring does not relieve the organization of legal duty or oversight, so an answer claiming "insurance eliminates the risk" is wrong. Acceptance is never silence — an undocumented, unapproved decision to live with a risk is neglect, not acceptance, and the right answer escalates to the risk owner. Avoidance is not always available — if the activity is core to the mission (a bank cannot "avoid" online banking), mitigation is the realistic path.

And a compensating control is judged by whether it actually brings residual risk inside tolerance; "we added a sign-in banner" does not compensate for missing MFA on a critical admin portal because a banner only deters and informs, it does not block stolen-credential use. When two answers look plausible, prefer the one that both fits the business need and places the decision with an accountable owner at the correct level.