Skip to main content

3.2 Risk Response Options

3.2 Risk Response Options



Following are the four options for responding to the risk:

Risk Avoidance


  • In this approach, projects or activities that cause the risk are avoided.

  • Risk avoidance is the last choice when no other response is adequate.

  • For example, declining a project when business cases show a high risk of failure.


Risk Mitigation


  • In this approach efforts are made to reduce the probability or impact of the risk event by designing the appropriate controls.

  • Objective of risk mitigation is to reduce the risk to an acceptable level.


Risk sharing/Transferring


  • In this approach, risk is shared with partners or transferred via insurance coverage, contractual agreement or other means.

  • Natural disasters have a very low probability but a high impact. Response for such risk should be risk transfer.


Risk Acceptance


  • In this approach, risk is accepted as it is in accordance with risk appetite of the organisation.

  • Risk is accepted where cost of controlling the risk is more than the cost of risk event.

  • For example, for few non critical systems, the cost of anti-malware installation is more than the anticipated cost of damage due to malware attack. In such cases, the organization generally accepts the risk as it is.

  • No steps are taken to reduce the risk.

  • However, organizations need to be utmost careful while accepting the risk. If risk is accepted without knowing the correct level of risk, it may result in a higher level of liabilities.

Key aspects from CRISC exam perspective




CRISC Question
Possible Answer
Risk response where cost of control exceeds the cost of risk event
Risk Acceptance
Risk avoidance can be done by
Exiting the process that causes the risk
Risk response options that  most  likely to increase the liability
Risk Acceptance
(Organization may choose to accept risk without knowing the correct level of risk that is being accepted; this may result in higher liabilities)
Risk response in which process is outsourced to a professional organization having expertise knowledge
Risk Mitigation
Most suitable risk response where risk related to a specific business process is greater than the potential opportunity
Risk Avoidance
Risk response in form of purchasing an insurance is
Risk transfer
Use of a business case

Business case helps to determine the costs and benefits of the risk response.
Most important for risk mitigation to
Is to reduce the risk to an acceptable level
Most effective way to treat a risk with a low
probability and a high impact (such as natural disaster)
Risk Transfer


Practice Questions - 3.2 Risk Response Options


Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more