4.1 Risk treatment actions

There are different response action categories which correspond to key general approaches for risk treatment. These response action categories are:

1.      TOLERATE. The exposure may be tolerable without any further action being taken or even if not tolerable, the ability to do anything may be limited (or the cost of taking any action may be disproportionate to the potential benefit). In these cases the response may be to tolerate the existing level of risk. This option, of course, may be supplemented by contingency planning for handling the impact that will arise if the risk results in actual events.

The actions related to this kind of approach are:

• Risk acceptance: no action is taken to affect likelihood or impact.
• Retaining: after risks have been changed or shared, there will be residual risks that are retained. The risk can be retained by informed decision: acceptance of the burden of loss, or benefit of gain, from a particular risk, including the acceptance of risks that have not been identified. Risks can also be retained by default, e.g. when there is a failure to identify or appropriately share or otherwise treat risks. Moreover, after opportunities have been changed or shared, there may be residual opportunities that are retained without any specific immediate action being required (retaining the residual opportunity).

2.      TREAT. Usually, the majority of risks are addressed this way. The purpose of treatment is that whilst continuing with the activity that gives rise to the risk, specific action is taken in order to constrain such a risk to an acceptable level.

Actions related to this kind of approach are as follows:

• Removing: removing the risk source.
• Risk reduction, actions are taken for:

o  Changing likelihood (mitigating actions): action taken to reduce the likelihood of negative outcomes and/or to increase opportunity, in order to enhance good outcomes.

o  Changing the consequences (contingency actions): actions taken to reduce the extent of losses and/or to increase the extent of gains with reference to related opportunities. These include setting up pre-event measures and post-event responses such as continuity plans.

From the risk management perspective, the first kind of action (changing likelihood) should be preferred as it prevents the risk rather than waiting for the consequences.

3.      TRANSFER. For some risks the best response may be to transfer them[1]. The transfer of risks may be considered to either reduce the exposure of the organization or because of another organization (which may be another public organization) judged more capable of effectively managing such risks. It is worth noting that some risks are not (fully) transferable: in particular, reputational risk can hardly be transferred. Relationship with the third party to which the risk is transferred needs to be carefully managed to ensure a successful transfer.

Actions related to this kind of approach are as follows:

• Transferring^[2] the risk or a portion of it[3].
• Sharing^[4]: another party or parties bearing or sharing some part of the risk outcomes, usually by providing additional capabilities or resources that increase the likelihood of opportunities, or the extent of gains from them. Sharing positive outcomes can involve sharing some of the costs involved in acquiring them. Sharing arrangements can often introduce new risks, in that the other party or parties may not effectively deliver the required capabilities or resources.

4.      TERMINATE. Some risks will only be treatable, or reducible to acceptable levels, by terminating the activity. It is worth noting that such an option can be severely limited in the public sector when compared to the private one. It can be particularly important in project management.

• Avoiding: action is taken to stop the activities giving rise to risk or avoiding the risk by not starting such activities (where this option can be practiced). Risk avoidance cannot occur properly if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may either increase the significance of other risks or lead to the loss of opportunities.

5.      TAKE THE OPPORTUNITY. This option is not an alternative to those above; rather it is an option that should be considered whenever tolerating, transferring or treating a risk. This can occur in two ways: the first is when an opportunity arises to exploit positive impact whether or not action is taken to mitigate threats at the same time. The second is when circumstances arise which, whilst not generating threats, offer positive opportunities.

• Taking/increasing: taking or increasing risk in order to pursue an opportunity.

Risk treatment options are not necessarily mutually exclusive, or appropriate in all circumstances. Often a risk response may combine two or more of these strategies to achieve the desired results. An organization can normally benefit from adopting a combination of treatment options. Implementation of the risk responses selected involves developing a risk plan, outlining the management processes that will be used to manage risk or opportunity to a level set up by the organization’s ‘risk appetite’ and culture.

Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify controls: any action taken to address a risk forms part of what is known as “internal control”.