Our company Our leadership Our values Events News Contact Us

Careers overview Current vacancieshiring Early Careers Benefits

Blogs Case studies Webinars White papers

Contact sales

Your priorities
The Platform
our solutions
- Audit & risk Audit and risk
  External Audit
  Improve the accuracy and efficiency of audits and build trust with clients.
  
  Internal Audit
  Gain total oversight and control of internal audit activity.
  
  Risk Management
  Centralize data for a holistic and strategic view of risk.
  
  Audit and risk solutions
  Audit and risk solutions that help you protect your business, engage with clients and have more strategic influence.
  Latest Gartner® Market Guide for EHS Software
  Download now
- DOCUMENT COLLABORATION DOCUMENT COLLABORATION
  Huddle
  Flexible and highly secure document collaboration for regulated industries.
  
  Mail Manager
  Email add-in for Outlook to boost productivity and improve document management.
  
  OnePlace Solutions
  Connect, simplify and personalize business systems built on Microsoft 365
  
  PleaseReview
  Real-time document review, co-authoring and redaction for regulated industries.
  
  Document collaboration solutions
  Bring teams and customers together with our document collaboration solutions to securely manage emails and documents.
  Latest Gartner® Market Guide for EHS Software
  Download now
- E-Learning and Content E-Learning & Content
  CompliSpace
  Policy, learning and assurance management to meet GRC obligations.
  
  WorkRite
  Workplace training and e-learning management system to meet regulatory requirements.
  
  E-learning and content solutions
  Meet regulatory requirements, bring policies to life, and keep employees safe with e-learning and content solutions.
  Latest Gartner® Market Guide for EHS Software
  Download now
- Environmental, Health and Safety Environmental, Health & Safety
  EHS
  A unified EHS solution that enables employers to report incidents, identify risks in real-time and automate safety processes across your organization.
  
  Maritime safety
  Extensive experience and specialized product suites that specifically address the unique needs of the maritime industry. Manage all aspects of health, safety and incident management.
  
  Environmental, health and safety solutions
  Improve safety, reduce risk and enhance environmental, health and safety performance across your business.
  Latest Gartner® Market Guide for EHS Software
  Download now
- quality quality
  Coruson
  Aviation safety management for complete control and reporting of operational risk.
  
  Quality Control
  Automate quality inspections and documentation to satisfy regulators and customers.
  
  Quality Management
  Digitalize your quality management processes for complete organizational insight.
  
  Smartforms
  Improve mobile incident and event reporting for real-time situational awareness.
  
  Quality solutions
  QMS solutions to help take control and ensure quality in every step of the process to unlock your full potential.
  Latest Gartner® Market Guide for EHS Software
  Download now
- A-Z Products

Our company Our leadership Our values Events News Contact Us

Careers overview Current vacancieshiring Early Careers Benefits

Blogs Case studies Webinars White papers

Contact Sales

Contact sales

2024 Resilience nation report • Download now

Home
Thought Leadership
Blog
ISO 31000: Developing your risk treatment strategy

ISO 31000: Developing your risk treatment strategy

Types of risk treatment

The different types of risk treatment might include:

Remove the risk altogether
Change the likelihood (such as move servers to a higher floor to reduce risk of flood damage)
Change the consequences
Share the risk through agreements, partnerships, further insurance etc
Retain and mitigate the risk by informed decision

It is up to the organisation to determine the balance between the benefits of retaining a risk (such as a competitive advantage) against the potential cost, adverse impact, and disadvantage of implementation.

Risk controls:

ISO 31000 defines a control as any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology, technique, method, or device that modifies or manages risk. Risk treatments become controls, or modify existing controls, once they have been implemented.

Two basic types of control

Preventive Controls prevent undesirable events from occurring. For example, stopping unauthorised access of sensitive information by ensuring the system has controlled access. Detective controls on the other hand seek out undesirable events after they have happened. This could be through a scheduled review or reconciliation of data, for example.

What are Control Measures?

Control measures are designed to eliminate the defined risk. They might work to substitute it with a lesser risk, isolate it or use administrative controls to mitigate the risk.

Residual risk should be considered in all cases where a risk has been determined as essential or unavoidable. There may be several options to mitigate risk to reduce the likelihood, consequence, or severity of a risk incident, and these may flow from one to another for continuous risk mitigation.

For example, an unavoidable risk could be fire damage to paper files. This is mitigated by filing in metal cabinets, which are mitigated further by storage in a specified room, and so forth. Alternatively, an organisation could see this risk and choose to become a paperless organisation, removing the risk of lost data held on paper. In this case, they would also have to consider the back-up and security of digital data, using a solution such as Ideagen’s Q-Pulse.

Clause 6.5.3: Preparing And Implementing Risk Treatment Plans

Once risks have been identified, evaluated, and a risk treatment course of action determined, the next step is to communicate this information to key shareholders.

A treatment plan should be concise, accurate, and deliver information in a timely and clear manner. It needs to outline the risk criteria, analysis, and treatments, and identify who is accountable for ensuring listed controls are applied. A good risk treatment plan will demonstrate:

What the risk is
How it is mitigated
Who is responsible for it
The required timeframe for action
The reporting requirements for accountable individuals

A risk treatment plan is useful for communicating on a broad level what the current risk management strategy is. It will demonstrate the rationale behind decisions made regarding removed, mitigated, or retained risks, and how responsibility is divided. This ties in well with Clause 5.2, which focused on Leadership and Commitment , and Clause 6.2 on Communication and Consultation .

A risk treatment strategy needs to be integrated into the overall business performance objectives and reviews. There should be full commitment from management if it is going to be continuously effective and drive improvement and efficiency across the organisation. Discover how our risk management system can help you comply with ISO 31000.

CONNECT WITH US

Solutions

AUDIT & RISK
External Audit
Internal Audit
Risk Management

DOCUMENT COLLABORATION
Huddle
Mail Manager
OnePlace Solutions
PleaseReview

E-LEARNING & CONTENT
CompliSpace
WorkRite

ENVIRONMENTAL, HEALTH & SAFETY
EHS

QUALITY
Coruson
Quality Control
Quality Management
Smartforms

USEFUL LINKS

Sustainability report

CONNECT WITH US

Privacy policy Terms of use Data protection policy Environmental policy Sexual harassment policy Slavery and human trafficking statement