CIPS Exam L4M2 Topic 6 Question 22 Discussion

Risk control is the process by which an organization reduces the likelihood of a risk event occurring or mitigates the effects that risk should it occur. Our preferred way to determine your risk control strategy is to use the four T's Process:

Transferring Risk can be achieved through the use of various forms of insurance, or the payment to third parties who are prepared to take the risk on behalf of the organization

Tolerating Risk is where no action is taken to mitigate or reduce a risk. This may be because the cost of instituting risk reduction or mitigation activity is not cost-effective or the risks of impact are at so low that they are deemed acceptable to the business (such as some trivial annoyance). Even when these risks are tolerated they should be monitored because future changes may make it no longer tolerable.

Treating Risk is a method of controlling risk through actions that reduce the likelihood of the risk occurring or minimize its impact prior to its occurrence. Also, there are contingent measures that can be developed to reduce the impact of an event once it has occurred.

Terminating Risk is the simplest and most often ignored method of dealing with risk. It is the ap-proach that should be most favored where possible and simply involves risk elimination. This can be done by altering an inherently risky process or practice to remove the risk. The same can be used when reviewing practices and processes in all areas of the business.

If an item presents a risk and can be changed or removed without it materially affecting the busi-ness, then removing the risk should be the first option considered; rather than attempting the treat, tolerate or transfer it.

LO 3, AC 3.3