What you can do: treatment options¶
Duration: 45 to 60 minutes
Materials: your risk matrix from the previous exercise, cards for treatment options, markers
The exercise¶
For each risk above your appetite line, identify what you can actually do about it. The constraint on “actually” matters. Treatment options that cannot be implemented given the organisation’s actual capacity, budget, and authority structure are not treatment options. They are aspirations, and aspirations do not reduce risk.
This is where ChangeShop is most directly applicable. Most treatment plans fail not because the technical controls are unavailable but because the conditions for implementing them are not in place: no clear owner, no protected budget, no authority to make the required changes, implementation that would require co-operation from teams that have not been engaged. A treatment plan that does not account for these conditions will produce a list of things to do that gradually ages in a register without being done.
Step 1: Understand the options (10 minutes)
Four basic treatment approaches:
Treat (mitigate or reduce): implement controls to reduce likelihood, impact, or both. This is the most common approach and the one most often scoped too ambitiously.
Accept: consciously decide to live with the risk. Acceptance is legitimate for low risks, or for risks where treatment would cost more than the exposure. The key word is “consciously”: acceptance is most useful as an explicit decision made by someone with the authority to make it, not a default outcome of inaction.
Transfer: share the risk through insurance, contracts, or outsourcing. Transfer does not eliminate the risk; it changes who bears the financial consequence if it materialises.
Avoid: change operations to eliminate the risk entirely. This is sometimes possible and often overlooked. If a process creates a risk that is not justified by the value of the process, stopping the process is a legitimate option.
Step 2: Work through priority risks (30 minutes)
For each critical and high risk, identify realistic treatment options in each applicable category. For each proposed treatment, ask: what would reduce the likelihood of this? What would reduce the impact if it occurs? What would improve detection and response?
Be honest about feasibility. “Implement MFA” is not a treatment plan for an organisation that does not have the budget to license an identity provider or the technical capacity to configure one. The exercise is most useful when it surfaces feasibility constraints, not papers over them.
For each proposed treatment, ask: what is the actual effort and cost? What is the realistic timeline? Does this create new risks? Who needs to approve and fund it? Who would implement it? If the answers to those questions are unclear, the treatment is not ready to be committed to.
Step 3: Prioritise (10 minutes)
You cannot do everything at once. Prioritise treatment based on risk severity, quick wins (high impact, low effort), dependencies (what must happen before something else can happen), available resources, and any binding compliance obligations.
The quick wins question is worth spending time on. There is usually a treatment that reduces significant risk at modest cost and that has been deferred because it was not urgent enough to compete with other priorities. Making it visible and assigning it an owner often produces more immediate risk reduction than the ambitious treatment plans that require twelve months and cross-team co-ordination.
Output¶
Treatment options for each priority risk, reality-checked for feasibility, with a rough prioritisation order and clear ownership for each decision.
What the exercise reveals¶
The treatment conversation exposes the gap between what the organisation recognises it could do and what it is actually in a position to do. That gap is important information. A treatment plan that requires resources or authority the organisation does not have is not a plan; it is a statement of what would be needed.
If the gap is large, that is a finding for leadership, not a reason to produce ambitious treatment plans that will not be implemented. An honest treatment assessment that says “we can address three of these six critical risks with current capacity; addressing the remaining three requires X” is more useful than a plan that nominally addresses all six and is implemented for none of them.