No organization is free from external and internal factors which may make uncertain the achievement of its objectives. According to the definition set out in ISO 31000, a risk is the effect of this uncertainty on the objectives.
The standard sets out some reference principles and guidelines to address risk treatment. The process is cyclical and involves assessing the risk treatment, defining whether the levels of residual risk are acceptable or whether it is necessary to generate a new risk treatment, and then assessing the effectiveness of such treatment.
When choosing the most appropriate options for risk treatment, it is necessary to consider balancing the costs and efforts to be implemented with the resulting benefits.
It is also possible to identify risks whose treatment is not justifiable due to economic reasons. Therefore, the organization must ensure an appropriate balance between the possible benefits of retaining risk and the potential cost or negative impact the risk may represent.
Risks treatment requires continuous review and updating as the context, internal or external factors, strategies, and objectives of the organization may change.