crisc-d3-risk-response-risk-treatment-and-response-options

Risk Treatment and Response Options

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk Treatment and Response Options

Risk Treatment and Response Options is the ISACA CRISC-defined decision process through which an organization selects and implements one or more responses to a formally assessed risk. The four canonical response options are: (1) MITIGATE — implement controls to reduce the probability and/or impact of a risk event; (2) AVOID — eliminate the activity, process, or exposure that generates the risk entirely; (3) TRANSFER — shift the financial or operational consequence of a risk to a third party via insurance, contracts, outsourcing, or hedging; and (4) ACCEPT — consciously retain the risk as-is, with formal governance documentation, when treatment cost exceeds expected impact or when the risk falls within defined risk appetite. Mature organizations apply combination strategies — layering mitigation with transfer, or accepting residual risk after partial mitigation — rather than relying on any single option.

Where it stops · what it isn't

—Risk treatment IS the strategic selection of a response option and the evaluation of residual risk post-treatment; it is NOT the detailed operationalization of controls (that belongs to Risk Treatment Plans).
—Risk treatment IS a governance-approved, documented decision with cost-benefit justification; it is NOT an informal or ad-hoc technical fix applied without formal review.
—Risk treatment IS applicable to risks that have been formally identified and assessed with a risk rating; it must never precede risk assessment.
—Accepting a risk IS a deliberate, documented strategic choice requiring governance approval; it is NOT the same as ignoring or overlooking a risk.
—Risk transfer shifts financial or operational consequences to a third party but does NOT eliminate the underlying risk event or the organization's reputational exposure.
—Residual risk (risk remaining after treatment) is DISTINCT from inherent risk (risk before any controls) and must be separately evaluated for alignment with risk appetite.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Risk Identification and AssessmentRisk Appetite and Tolerance Framework

ENABLES

Inherent, Residual, and Current Risk EvaluationRisk Treatment Plans (operationalization and documentation)

PART OF

CRISC Domain 3: Risk Response and Reporting

RELATED TO

Risk and Control OwnershipControl Types, Standards, and Frameworks

CONSTRAINS

Capital Allocation and Security Investment Decisions

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.