Docs

Appearance

Risk Treatment

Risk treatment is how you decide “what we’re going to do about it” once risk is expressed in monetary terms.

Treatment is not risk avoidance. It is selecting the right response based on expected loss and risk appetite:

  • Accept when the quantified value is within appetite
  • Mitigate by lowering the rate or damage through concrete controls
  • Transfer via contractual, insurance, or vendor mechanisms
  • Avoid by changing the scope or removing the capability

Where in Modulos

Risk treatment is expressed through the governance system, not a separate “treatment wizard”:

  • use Project → Risks to compare quantified exposure against limits
  • implement mitigations as controls under Project → Controls
  • attach proof as evidence under Project → Evidence
  • use reviews to get sign-off where needed under Project → Reviews

For the end-to-end operating model, see Operating Model.

Permissions

  • Project Owner and Editor typically implement mitigations and attach evidence.
  • Project Reviewer makes review decisions.
  • Project Auditor is read-only for assurance.

How it works

Treatment is a continuous cycle tied to evidence and re-quantification.

How to use it

ROI framing for mitigations

Quantification enables a practical question:

“If we spend €X, how much expected loss do we reduce, and how quickly does it pay back?”

Mitigations usually target:

  • rate reduction (prevention, detection, operational controls)
  • damage reduction (containment, response, fail-safes, human oversight)

Mitigation controls

Mitigation is only real when it shows up as a concrete control with owners and evidence. Capture mitigations as controls, link evidence, and re-quantify to measure impact.

What “good treatment” looks like

Good treatment is specific:

  • it targets the highest-value risk threats, not the most generic risks
  • it reduces rate or damage in ways you can observe
  • it assigns an owner and a verification signal

Examples of treatment levers:

  • rate reduction: better evaluation, guardrails, monitoring, access control, user training, safe defaults
  • damage reduction: human-in-the-loop, kill switches, incident response playbooks, rollback and containment
  • transfer: vendor obligations, contractual warranties, insurance, procurement requirements
  • avoid: remove a capability, restrict a use case, change the operating model

Make treatment auditable

Treatment decisions become audit-ready when they are tied to implementation and proof:

  • translate the mitigation into one or more controls
  • collect evidence that shows the control exists and is operating
  • define a verification signal over time, such as tests and monitoring

This is where risk connects to governance. Quantification explains why you invested. Controls and evidence prove you did.

How treatment becomes audit-ready in Modulos

In practice, treatment becomes auditable when you can point to:

  • the quantified baseline and assumptions
  • the mitigation decisions and owners
  • the implemented mitigation controls and procedures
  • the evidence that proves implementation
  • the verification signals over time (for example testing results and monitoring)

Quantification should be re-run after meaningful mitigations and whenever the system or environment changes.

Portfolio Overview

How risk rollups and limits support governance

Project Risks

The project view where risks and threats are managed

Risk Quantification

The expected-loss model and how to run quantification