Skip to main content
Risk Treatment Types

Glossary of Risk Management Treatment Types

Updated over 2 weeks ago

When managing risks in Risk Management you can apply the relevant treatment type for each risk.

Note: Risk Treatment Types is only available with the Risk Management. Risk Management is part of the Advanced package and is separate from Risk Assessment. Learn more at https://drata.com/plans.

  • Please contact your CSM or Support if you're interested in learning more and adding Risk Management to your account.

BEFORE DIVING IN

  • Users must also have the admin, information security lead, or risk manager role to access this.

GLOSSARY

Avoid:

If a risk is deemed too high, then you simply avoid the activity that creates the risk. For instance, if flying in an airplane is too risky, you avoid taking the flight in the first place, and completely avoid the risk. Another example would be hiring an individual whose references would not recommend rehiring him — by not hiring him, you avoid the risk that he would not be an asset to your company.

Transfer:

In many instances, you can transfer the risk you take to another party. For instance, insurance companies exist for exactly this reason. You can also outsource the process in which the risk is present to another provider, thereby transferring the risk to the outsource provider.

Mitigate (Reduce):

Risk reduction is one of the most crucial steps for processes or activities that cannot be avoided, and where risk cannot be transferred to another party. An example of this would be training your staff on how to identify a phishing email, or on best practices involving login credentials and password hygiene.

Accept:

For some processes and activities, there is no option but to accept the risk. Of course, these instances should only involve low risk, or repercussions that are easily managed. Some risks might be completely acceptable and require you to take no action at all (a missed deadline on an open-ended project schedule, for instance).

Untreated:

If a risk has been identified and listed on your risk register, a treatment plan should be selected for that risk.

Did this answer your question?