Read as
Why this module exists. Treatment is where risk management meets execution. The four canonical options — mitigate, transfer, accept, avoid — sound simple. Picking the right one, documenting it correctly, and tracking it to closure is where most programmes fail. This module is the operational pattern for risk treatment that actually closes risks.
Why this module exists. A risk register that produces no closed risks is a registry, not a programme. The treatment lifecycle is what converts identified risk into reduced exposure. This module covers the four options, the decision logic, and the operational mechanics.
The four treatment options
| Option | When appropriate | Documentation requirement |
|---|---|---|
| Mitigate | Cost-effective control reduces L or I to within appetite | Treatment plan, owner, target date, expected residual |
| Transfer | Insurance, contract, third-party service shifts financial exposure | Policy details, coverage limits, exclusions, retention period |
| Accept | Risk is within stated appetite, or cost of treatment exceeds risk | Named accepting authority, date, rationale, expiry, review trigger |
| Avoid | Activity creating the risk can be discontinued without business cost | Decision record, what activity stopped, who approved |
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants