Domain 2: Information Security Risk Management Module 10 of 47

Module 10: Risk Treatment / Risk Response Options

CISM Domain 2 — Information Security Risk Management Section B 10–12 min read

What the Exam Is Really Testing

Forget the terminology. Avoid, mitigate, transfer, accept — those labels are table stakes. What the exam is really checking:

Risk response must align with enterprise risk appetite, business objectives, and cost-benefit logic.

The exam evaluates whether you can:

  • Choose proportionate treatment
  • Justify response decisions
  • Document risk acceptance properly
  • Escalate when residual risk exceeds tolerance
  • Avoid over- or under-reacting

Risk response is governance-driven decision-making.

The Executive Mindset Shift

What feels right:

Fix every risk.

What the exam rewards:

Treat risk in alignment with enterprise tolerance and business value.

Security leaders must:

  • Evaluate residual risk
  • Consider cost vs benefit
  • Align with strategy
  • Engage risk owners
  • Document decisions formally

Eliminating all risk is neither realistic nor strategic.

The Four Core Response Options

1. Risk Avoidance

Eliminate the activity causing the risk.

Used when:

  • Risk exceeds tolerance
  • No cost-effective mitigation exists
  • Strategic objectives allow withdrawal

Example: Discontinuing a high-risk service.

Avoidance impacts business capability.

2. Risk Mitigation (Reduction)

Implement controls to reduce likelihood or impact.

Used when:

  • Risk is material
  • Controls are cost-effective
  • Business objective must continue

Most common response.

3. Risk Transfer

Shift financial impact to another party.

Examples:

  • Insurance
  • Contractual liability clauses
  • Outsourcing

Important nuance: Transfer does NOT eliminate accountability. Residual risk still exists.

4. Risk Acceptance

Formally acknowledge and document risk without additional mitigation.

Used when:

  • Risk is within appetite
  • Mitigation cost exceeds benefit
  • Business decision supports exposure

Acceptance must be documented and approved by appropriate authority.

Critical Governance Principles

  • Risk owners approve acceptance.
  • Security leaders advise — they do not unilaterally accept.
  • Residual risk drives escalation.
  • Cost-benefit analysis matters.
  • Risk response must be documented.

CISM frequently tests escalation and documentation.

Pattern Recognition

When selecting a response, ask:

  1. Does residual risk exceed appetite?
  2. Is mitigation cost reasonable?
  3. Is business continuity dependent on this activity?
  4. Is there an insurable component?
  5. Who owns the risk?

Correct answers often involve:

  • Formal risk acceptance documentation
  • Risk-based mitigation
  • Escalation to risk owner
  • Cost-benefit analysis

Not:

  • Eliminating activity unnecessarily
  • Ignoring risk
  • Security making business decisions alone
  • Buying tools without analysis

Trap Pattern

Common wrong instincts:

  • “Mitigate everything”
  • “Transfer means no responsibility”
  • “Accept without documentation”
  • “Avoid whenever risk is high”

CISM emphasizes proportional governance-aligned response.

Scenario Practice

Question 1

A residual risk remains after mitigation and exceeds the organization’s defined risk appetite.

What should occur NEXT?

A. Document the risk and escalate to appropriate risk owner for decision
B. Accept the risk informally
C. Ignore the excess exposure
D. Replace the entire system immediately

Answer & reasoning

Correct: A

Residual risk above appetite requires formal escalation and documented decision-making.

Question 2

A mitigation control would cost significantly more than the potential financial impact of the risk.

What is the MOST appropriate response?

A. Conduct cost-benefit analysis and consider formal risk acceptance
B. Implement the control anyway
C. Transfer the risk immediately
D. Shut down the affected system

Answer & reasoning

Correct: A

Risk treatment must be economically rational and aligned with business judgment.

Question 3

A business initiative generates high revenue but introduces moderate information security risk within defined appetite.

What is the MOST appropriate response?

A. Recommend reasonable mitigation while allowing the initiative to proceed
B. Avoid the initiative
C. Block the initiative entirely
D. Ignore the risk

Answer & reasoning

Correct: A

Risk within appetite should be managed proportionally, not eliminated.

Question 4

An organization purchases cyber insurance to address potential breach losses.

What risk response strategy is primarily being used?

A. Avoidance
B. Transfer
C. Mitigation
D. Acceptance

Answer & reasoning

Correct: B

Insurance transfers financial impact but does not eliminate risk.

Question 5

Leadership decides to accept a known risk but does not document the decision.

What is the PRIMARY governance weakness?

A. Encryption gap
B. Failure to implement mitigation
C. Lack of formal risk acceptance process
D. Vendor mismanagement

Answer & reasoning

Correct: C

Risk acceptance must be documented and approved by authorized risk owners.

Key Takeaway

In CISM:

Risk response is a business decision — guided by security expertise.

Before selecting a response:

  • Evaluate residual risk.
  • Compare against appetite.
  • Assess cost vs benefit.
  • Escalate to appropriate authority.
  • Document decisions.

Security leaders advise. Risk owners decide.

Related Modules

CISM Domain 2 — Information Security Risk Management Risk Assessment and Analysis CRISC Domain 3 — Risk Response and Reporting Risk Treatment / Risk Response Options
Next Module Module 11: Risk and Control Ownership