Risk

Treatment
Bobita, Stephanie Mae
Mendoza, Paul Abrahm
Pungtan, Alexandra
Teanila, Andrei Christian
What is Risk Treatment
• Risk Treatment is the process of selecting and
implementing of measures to modify risk. Risk treatment
measures can include avoiding, optimizing, transferring or
retaining risk.
• Risk treatment is a collective term for all the tactics, options,
and strategies chosen to respond to a specific risk, bound to
achieve the desired outcome concerning the threat.
• Consequently, risk treatment is not a concept functioning on
its own. On the contrary, it should always be examined,
understood, and implemented as a part of a bigger whole
Steps of Risk Treatment
• In the risk treatment process, it's recommended to follow five main
steps ensuring correct logistics and effectiveness of the strategy:

1. Brainstorming and selecting the right risk treatment option.

2. Planning and use of options chosen.
3. Examining the effectiveness of the chosen tactics.
4. Deciding whether the level of the remaining risk, i.e., residual risk,
is acceptable or not.
5. If it's not acceptable, implementing new risk treatment activities
to reduce the residual risk.
Risk Treatment
Process
Risk treatment assessment
• an organization should select the best option at its disposal. That
involves balancing the costs of implementing each option against the
benefits derived from it, with regard to legal, regulatory, and other
requirements such as social responsibility. In general, the cost of
managing risks needs to be balanced with the benefits obtained.
When making such cost versus benefit judgments, the context should
be taken into account. It is important to consider all direct and
indirect costs and benefits, whether tangible or intangible, and
measure them in financial or other terms.
Risk Treatment Plan
• Treatment should involve, at the operational
level, preparing and implementing a related plan.
It shows how the treatment options selected will
be implemented and should be integrated with
the management and budgetary processes.
• Specifically, the information provided in a treatment plan
should include:
• a. The reasons for selecting the treatment options, including
expected benefits;
• b. Who is accountable for approving the plan and who is
responsible for implementing it;
• c. The actions proposed;
• d. Resource requirements, including contingencies;
• e. Performance measures and constraints;
• f. Reporting and monitoring requirements;
• g. Timing and schedule.
Risk treatment monitoring
• in designing response actions, it is important that the controls put
in place are proportional to the risks. Risk analysis assists such a
process by identifying those risks requiring attention by the
management. Risk control actions will be prioritized in terms of their
potential to benefit the organization. Effectiveness of internal control
is determined by how much the risk will be either eliminated or
reduced by the control measures proposed. The latter need to be
measured in terms of potential economic effect if no action is taken,
versus the cost of the action(s) proposed, and invariably require more
detailed information and assumptions than are promptly available.
Every response action has a related cost, and it is important that the
treatment offers value for money in relation to the risk controlled by
it.
• In this regard, options in addressing risk (“TREAT”) can be further
analysed into four different types of related/associated controls:

• PREVENTATIVE CONTROLS. These are designed to limit undesirable

outcomes. The more an undesirable outcome should be avoided, the more
appropriate preventative controls should be implemented[1]. Most of
controls implemented in organizations tend to belong to this category.

• CORRECTIVE CONTROLS. These are designed to correct undesirable

outcomes that have occurred, and provide a way to achieve some recovery
against loss or damage[2]. Contingency planning is an important element of
corrective control.

• DIRECTIVE CONTROLS. These are designed to ensure that a particular

outcome is achieved, and are particularly important when avoiding an
undesirable event – typically related to Health and Safety or to security – is
crucial[3].

• DETECTIVE CONTROLS. These are designed to identify occasions of

occurrence of undesirable outcomes. Their effect is, by definition, “after the
event” so they are only appropriate when the resulting loss or damage can be
accepted
Residual risk measurement
• If a residual risk persists even after treatment, a decision should be
taken about whether to retain this risk or to repeat the risk
treatment process. For residual risks that are deemed to be high,
information should be collected about the cost of implementing
further mitigation strategies.
F.1. Four
categories of risk
treatment
• Avoidance(eliminate, withdraw from or not
become involved)
• Reduction (optimize – mitigate)
• Sharing (transfer – outsource or insure)
• Retention (accept and budget)
Risk avoidance
• This includes not performing an activity that could
present risk. Refusing to purchase a property or business
to avoid legal liability is one such example. Avoiding
airplane flights for fear of hijacking. Avoidance may seem
like the answer to all risks, but avoiding risks also means
losing out on the potential gain that accepting (retaining)
the risk may have allowed. Not entering a business to
avoid the risk of loss also avoids the possibility of earning
profits. Increasing risk regulation in hospitals has led to
avoidance of treating higher risk conditions, in favor of
patients presenting with lower risk
Risk reduction
• Risk reduction or "optimization" involves reducing the severity of the
loss or the likelihood of the loss from occurring. For example,
sprinklers are designed to put out a fire to reduce the risk of loss by
fire. This method may cause a greater loss by water damage and
therefore may not be suitable. Halon fire suppression systems may
mitigate that risk, but the cost may be prohibitive as a strategy.
Risk sharing
• Briefly defined as "sharing with another party the burden of loss or the benefit of
gain, from a risk, and the measures to reduce a risk."

• The term of 'risk transfer' is often used in place of risk sharing in the mistaken
belief that you can transfer a risk to a third party through insurance or
outsourcing. In practice if the insurance company or contractor go bankrupt or
end up in court, the original risk is likely to still revert to the first party. As such,
in the terminology of practitioners and scholars alike, the purchase of an
insurance contract is often described as a "transfer of risk." However, technically
speaking, the buyer of the contract generally retains legal responsibility for the
losses "transferred", meaning that insurance may be described more accurately
as a post-event compensatory mechanism. For example, a personal injuries
insurance policy does not transfer the risk of a car accident to the insurance
company. The risk still lies with the policy holder namely the person who has
been in the accident. The insurance policy simply provides that if an accident
(the event) occurs involving the policy holder then some compensation may be
payable to the policy holder that is commensurate with the suffering/damage.
Risk retention
• Risk retention involves accepting the loss, or benefit of gain, from a
risk when the incident occurs. True self-insurance falls in this
category. Risk retention is a viable strategy for small risks where the
cost of insuring against the risk would be greater over time than the
total losses sustained. All risks that are not avoided or transferred
are retained by default. This includes risks that are so large or
catastrophic that either they cannot be insured against or the
premiums would be infeasible. War is an example since most
property and risks are not insured against war, so the loss attributed
to war is retained by the insured. Also any amounts of potential loss
(risk) over the amount insured is retained risk. This may also be
acceptable if the chance of a very large loss is small or if the cost to
insure for greater coverage amounts is so great that it would hinder
the goals of the organization too much.
F.2. The Benefits of
Appropriate Risk
Treatment
Options of Risk Treatment
• Risk Avoidance
• Risk Increase
• Risk Removal
• Risk Modification
• Risk Sharing
• Retaining Risk
 Risk Avoidance
• Decisiontaken when risks are so high that
treatment cannot be contemplated
• Risks
maybe unknown or simply
uncontrollable
• Typicalactivities are cancelled in such risk
scenarios
 Risk Increase
• Thisis where deliberate actions are taken to
decrease the level of control of the risk or
increase exposure.
• Theseactions are predicated on the possible
benefits to be gained, hence the idea here is to
maximize or seize opportunities, or ride the
waves.
• Risksmight also increased by reducing the level
of controls where costs exceeds benefits.
 Risk Removal
• Thisis an unlikely option to exercise because
organizations usually do not have the leverage to
effect removal risks entirely.
• Inthe case of unfavorable legislation, the
organization may join with industry members in
lobbying government to either amend, delay
implementation or remove legislation.
 Risk Modification
• Changing of likelihood
• Changing of impact
 Risk Sharing
• Involves
engaging a partner that can
manage the risk more effectively.
• Decision id usually dependent on the
inability on the part of the organization to
reduce the risk to within its level of
tolerability, lack of resources or economic
factors.
 Retaining Risk
• Risk remaining after risk treatment in the referred
to as retain risk or residual risk.
• Thelevel of risk retained is dependent in the risk
appetite on the organization. If the level risk
meets accepted criteria, further treatment is
unnecessary.
• Retainedrisk must be documented and there must
be cognizance that it can include unidentified
risks.
 Balance in Risk Treatment

Continue
spending
 Balance in Risk Treatment

Discontinue
spending
F.3. Applicability of
Risk Treatments to Risk
Identified
• Risk may be classified a unacceptable
Avoidance of management risks may result in
vulnerable project/organization

• MOST SUCCESSFUL OUTCOMES

Requires mature/experienced organization
ready to develop risk management
• Riskprioritization may be biased by
subjectivity
Eventually missing or miss- prioritized
risk/rewards

• MOST COMMONLY USED

Unbalanced risk identification, i.e. too

focused on project delivery, may miss
sponsor or vendors/partners perspective