7 RISK TREATMENT
Now we have completed the risk assessment process, it is time to begin to consider how to deal with the risks we have identified. The actions we take to treat risk are referred to as controls.
A control is any measure or action that modifies risk. Controls include any policy, procedure, practice, process, technology and technique, method or device that modifies or manages risk. Risk treatments either become controls, or modify existing controls, once they have been implemented.
Controls are the tools we use to take a level of inherent risk and modify it to a level that falls within the organisation’s risk appetite, at which point the organisation is willing to accept the residual risk.
This chapter begins by taking an overview ...