Appearance
Risk Treatment
Risk treatment is how you decide “what we’re going to do about it” once risk is expressed in monetary terms.
Treatment is not risk avoidance. It is selecting the right response based on expected loss and risk appetite:
- Accept when the quantified value is within appetite
- Mitigate by lowering the rate or damage through concrete controls
- Transfer via contractual, insurance, or vendor mechanisms
- Avoid by changing the scope or removing the capability
Baseline expected loss
"€ 2.4M"
Quantify before you invest
€ 900KResidual expected loss
"After mitigations, re-quantify to measure impact"
Where in Modulos
Risk treatment is expressed through the governance system, not a separate “treatment wizard”:
- use
Project → Risksto compare quantified exposure against limits - implement mitigations as controls under
Project → Controls - attach proof as evidence under
Project → Evidence - use reviews to get sign-off where needed under
Project → Reviews
For the end-to-end operating model, see Operating Model.
Permissions
- Project Owner and Editor typically implement mitigations and attach evidence.
- Project Reviewer makes review decisions.
- Project Auditor is read-only for assurance.
How it works
Treatment is a continuous cycle tied to evidence and re-quantification.
Treatment cycle
1
Quantify baseline
2
Choose strategy
AcceptMitigateTransferAvoid
3
Implement controls
4
Collect evidence
5
Re-quantify
Mitigation must be auditable: owners, controls, evidence.
Residual risk is measured, not assumed.
How to use it
1
Quantify the baseline
Make assumptions explicit and produce a monetary value
2
Choose a response
Accept, mitigate, transfer, or avoid within appetite
3
Implement mitigations
Translate decisions into controls, procedures, and tooling
4
Verify and re-quantify
Prove implementation and measure risk reduction over time
ROI framing for mitigations
Quantification enables a practical question:
“If we spend €X, how much expected loss do we reduce, and how quickly does it pay back?”
Mitigations usually target:
- rate reduction (prevention, detection, operational controls)
- damage reduction (containment, response, fail-safes, human oversight)
Mitigation controls
Mitigation is only real when it shows up as a concrete control with owners and evidence. Capture mitigations as controls, link evidence, and re-quantify to measure impact.
What “good treatment” looks like
Good treatment is specific:
- it targets the highest-value risk threats, not the most generic risks
- it reduces rate or damage in ways you can observe
- it assigns an owner and a verification signal
Examples of treatment levers:
- rate reduction: better evaluation, guardrails, monitoring, access control, user training, safe defaults
- damage reduction: human-in-the-loop, kill switches, incident response playbooks, rollback and containment
- transfer: vendor obligations, contractual warranties, insurance, procurement requirements
- avoid: remove a capability, restrict a use case, change the operating model
Make treatment auditable
Treatment decisions become audit-ready when they are tied to implementation and proof:
- translate the mitigation into one or more controls
- collect evidence that shows the control exists and is operating
- define a verification signal over time, such as tests and monitoring
This is where risk connects to governance. Quantification explains why you invested. Controls and evidence prove you did.
How treatment becomes audit-ready in Modulos
In practice, treatment becomes auditable when you can point to:
- the quantified baseline and assumptions
- the mitigation decisions and owners
- the implemented mitigation controls and procedures
- the evidence that proves implementation
- the verification signals over time (for example testing results and monitoring)
Quantification should be re-run after meaningful mitigations and whenever the system or environment changes.