The final stage of our risk assessment is for deciding if our risks need to be addressed or ignored and then ordered based on their priority.

Accept or Address?

Organisations cannot cover every single risk that has been identified for a number of reasons. Under certain circumstances it could be more beneficial to simply accept the risk, rather than implement measures to control it.

Reasons that an organisation may wish to accept uncertainties could be any of the following:

• The level of the risk is so low that treatment would not be worthwhile
• The cost of treatment controls are higher than the benefits
• The opportunities that arise from the uncertainty outweigh the threats

Most of the decisions to accept or address risks will be determined by our Risk Appetite. By accepting certain risks there is no need for implementing treatment controls as we are allowing the risk to continue to exist in its current state.

Prioritisation

Those risks that were not deemed ‘acceptable’ will now have to be addressed through a number of control methods. But before we implement strategies to control our risks, we need a plan for which order to address our risks so that those which present the highest levels of negative risk (and highest levels of positive risk) are addressed first.

The most efficient method to prioritise our uncertainties is to use results from the risk map.

The risks that placed closest to ‘critical’ on the risk map will be our starting point for treatment controls. As the results from the risk map progress away from critical, these risks should be addressed accordingly. It may be useful at this stage to produce a list of the order that each risk is going to be controlled.