What you can do (treatment options)

Duration: 45-60 minutes

Materials: Your risk matrix, treatment option cards, markers

The exercise

For each risk above your appetite line, identify what you can actually do about it.

Step 1: Understand your options (10 minutes)

Four basic treatments, for example:

  • Treat (Mitigate, Reduce): Implement controls to reduce likelihood or impact

  • Accept: Consciously decide to live with the risk (usually low risks)

  • Transfer: Share the risk (insurance, contracts, outsourcing)

  • Avoid: Change operations to eliminate the risk entirely

Step 2: Work through priority risks (30 minutes)

Start with Critical and High risks. For each, brainstorm:

Treat/Mitigate/Reduce options:

  • What controls could reduce likelihood? (Prevention)

  • What could reduce impact if it happens? (Protection/Detection/Response)

  • What is the effort/cost?

  • How long to implement?

Transfer options:

  • Can insurance cover this?

  • Can contracts pass responsibility to suppliers?

  • Can we share the risk?

Avoid options:

  • Can we stop doing the risky thing?

  • Can we redesign to eliminate the vulnerability?

  • Is avoidance realistic?

Accept:

  • What are our conscious acceptance criteria?

  • Who needs to approve acceptance?

  • What is our monitoring plan?

Write treatment options on cards, linking to specific risks.

Step 3: Reality check (10 minutes)

For proposed treatments:

  • Is this actually feasible?

  • Do we have budget/resources?

  • What is the timeline?

  • Does this create new risks?

Be honest. “We should implement MFA” is not a plan if you have no budget or skills.

Step 4: Prioritise treatments (10 minutes)

You cannot do everything at once. Prioritise based on:

  • Risk severity (Critical first)

  • Quick wins (high impact, low effort)

  • Dependencies (what must happen first)

  • Available resources

  • Compliance requirements

Create a rough implementation order.

Output

  • Treatment options for each priority risk

  • Reality-checked for feasibility

  • Prioritised implementation order

  • Clear ownership for decisions

Common pitfalls

“Only technical solutions” → Include process, training, contracts

“Overly ambitious” → “Implement zero trust architecture” isn’t a treatment plan for a small team

“Treating everything” → Some risks should be accepted, it’s okay

“No ownership” → Who actually implements? Who pays?