Module 22: Risk Treatment / Risk Response Options

CRISC Domain 3 — Risk Response and Reporting Section A 8–10 min read
Not every risk must be eliminated.
Every risk must be addressed intentionally.

Domain 3 begins with structured decision-making.

CRISC is not testing whether you can deploy controls.

It is testing whether you can choose the appropriate response strategy.

What the exam is really testing

When risk response appears, CRISC is asking:

  • Is the response aligned to appetite?
  • Is it proportionate to impact?
  • Is it cost-effective?
  • Is it formally approved?
  • Is governance involved when required?

CRISC prefers disciplined selection — not emotional reaction.

The four primary risk response options

These are foundational.

1. Risk avoidance

Eliminate the activity that creates the risk.

Examples:

  • Cancel a high-risk project
  • Exit a market
  • Discontinue a vulnerable system

Avoidance removes exposure entirely.

CRISC often tests whether avoidance is realistic.

Avoidance is rarely the first answer unless exposure is catastrophic and intolerable.

2. Risk mitigation (reduction)

Implement controls to reduce likelihood and/or impact.

Examples:

  • Encryption
  • Segmentation
  • Access controls
  • Monitoring
  • Process redesign

Mitigation reduces residual risk — it does not eliminate risk.

This is the most common response.

3. Risk transfer (sharing)

Shift part of the financial impact to another party.

Examples:

  • Cyber insurance
  • Outsourcing
  • Contractual indemnification

Important:

Transfer does not eliminate risk.
It shifts financial consequence — not accountability.

Governance accountability always remains internal.

4. Risk acceptance

Formally acknowledge and accept the risk.

Acceptance requires:

  • Residual risk within appetite
  • Formal documentation
  • Defined owner
  • Governance approval (if required)

Acceptance is not ignoring risk.

It is a structured decision.

The most common exam mistake

Candidates assume:

  • Mitigation is always best.
  • Transfer eliminates responsibility.
  • Acceptance equals negligence.
  • Avoidance is the safest default.

CRISC expects proportional response aligned to appetite.

Decision factors in risk response

Response selection should consider:

  • Risk level (residual)
  • Risk appetite and tolerance
  • Cost vs benefit of controls
  • Regulatory requirements
  • Strategic objectives
  • Operational feasibility

If mitigation cost exceeds potential loss, acceptance may be appropriate.

CRISC tests economic reasoning.

Example scenario (walk through it)

Scenario:
A moderate residual risk is identified. Mitigation cost exceeds potential financial loss, and risk falls within tolerance.

What is the MOST appropriate response?

A. Avoid
B. Mitigate
C. Transfer
D. Accept

Correct answer:

D. Accept

Risk is within tolerance and mitigation is not economically justified.

Slightly harder scenario

An organization purchases cyber insurance and assumes risk management responsibilities are transferred.

What is the MOST significant misunderstanding?

A. Weak inherent risk
B. Transfer eliminates accountability
C. Excessive appetite
D. Poor mitigation

Correct answer:

B. Transfer eliminates accountability

Risk transfer shifts financial exposure — not governance responsibility.

Avoidance trap

A high-risk project aligns strongly with strategic objectives. Risk can be mitigated to within tolerance.

What is the MOST appropriate response?

A. Avoid immediately
B. Escalate and cancel
C. Mitigate to acceptable residual level
D. Transfer entirely

Correct answer:

C. Mitigate to acceptable residual level

Avoidance may conflict with business strategy. Mitigation aligned to appetite is appropriate.

Risk response hierarchy thinking

When reading a question:

  1. Has risk been assessed?
  2. Is residual within tolerance?
  3. Is mitigation cost-effective?
  4. Are regulatory requirements involved?
  5. Does strategy require proceeding?

CRISC rewards proportional, structured decisions.

Risk acceptance governance

Formal acceptance requires:

  • Documentation in risk register
  • Defined owner
  • Executive approval if required
  • Periodic review

If acceptance occurs without documentation, governance maturity is low.

Quick knowledge check

1) Which response removes the activity creating exposure?

A. Mitigation
B. Transfer
C. Acceptance
D. Avoidance

Answer & reasoning

Correct: D

Avoidance eliminates the risk source.

2) Risk transfer primarily shifts:

A. Accountability
B. Governance responsibility
C. Financial consequence
D. Threat likelihood

Answer & reasoning

Correct: C

Transfer shifts financial exposure, not accountability.

3) Risk acceptance is appropriate when:

A. Risk exceeds tolerance
B. Mitigation is impossible
C. Residual risk is within appetite and formally approved
D. Insurance is purchased

Answer & reasoning

Correct: C

Acceptance must be structured and within tolerance.

Final takeaway

Risk response must be:

  • Intentional
  • Documented
  • Proportionate
  • Economically justified
  • Aligned with appetite
  • Governance-approved when necessary

Mitigation is common — but not automatic.

Transfer does not remove responsibility.

Acceptance requires discipline.

Avoidance must align with strategy.

CRISC rewards structured decision-makers — not control enthusiasts.

Next Module Module 23: Risk and Control Ownership