Skip to main content

3.2 Risk Response Options

3.2 Risk Response Options



Following are the four options for responding to the risk:

Risk Avoidance


  • In this approach, projects or activities that cause the risk are avoided.

  • Risk avoidance is the last choice when no other response is adequate.

  • For example, declining a project when business cases show a high risk of failure.


Risk Mitigation


  • In this approach efforts are made to reduce the probability or impact of the risk event by designing the appropriate controls.

  • Objective of risk mitigation is to reduce the risk to an acceptable level.


Risk sharing/Transferring


  • In this approach, risk is shared with partners or transferred via insurance coverage, contractual agreement or other means.

  • Natural disasters have a very low probability but a high impact. Response for such risk should be risk transfer.


Risk Acceptance


  • In this approach, risk is accepted as it is in accordance with risk appetite of the organisation.

  • Risk is accepted where cost of controlling the risk is more than the cost of risk event.

  • For example, for few non critical systems, the cost of anti-malware installation is more than the anticipated cost of damage due to malware attack. In such cases, the organization generally accepts the risk as it is.

  • No steps are taken to reduce the risk.

  • However, organizations need to be utmost careful while accepting the risk. If risk is accepted without knowing the correct level of risk, it may result in a higher level of liabilities.

Key aspects from CRISC exam perspective




CRISC Question
Possible Answer
Risk response where cost of control exceeds the cost of risk event
Risk Acceptance
Risk avoidance can be done by
Exiting the process that causes the risk
Risk response options that  most  likely to increase the liability
Risk Acceptance
(Organization may choose to accept risk without knowing the correct level of risk that is being accepted; this may result in higher liabilities)
Risk response in which process is outsourced to a professional organization having expertise knowledge
Risk Mitigation
Most suitable risk response where risk related to a specific business process is greater than the potential opportunity
Risk Avoidance
Risk response in form of purchasing an insurance is
Risk transfer
Use of a business case

Business case helps to determine the costs and benefits of the risk response.
Most important for risk mitigation to
Is to reduce the risk to an acceptable level
Most effective way to treat a risk with a low
probability and a high impact (such as natural disaster)
Risk Transfer


Practice Questions - 3.2 Risk Response Options


Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more