This page will provide further guidance on risk management.
Risk treatment is the process of modifying the risk. This will involve deciding on one or more options to modify the risk and then the implementation of these. The 'treatments' then modify existing controls or create new controls.
Risk treatment would be included in 'existing controls' and 'actions for further control' in the risk register template.
- Avoid: the decision to not start or not continue with the activity which led to risk.
- Reduce: controls will be put in place to aim to reduce the impact/likelihood of the risk.
- Accept: where the risk lies within the appetite/tolerance range, the risk may be taken in order to pursue opportunity.
- Monitor: monitoring a risk will include monitoring the status of the risk, the status of the controls in place to mitigate the risk, the status of the associated causes and the status of the associated consequences.
Continual monitoring of a risk means that, where required, the treatment option can be changed; for example, if the likelihood of a risk occurring decreases, it might then fall within the appetite/tolerance range to 'accept' the risk.
What is risk appetite and risk tolerance?
Risk appetite and risk tolerance refers to the willingness of the institution to take a certain amount of risk. The diagram below depicts risk appetite, risk tolerance and risk capacity:
Risk Appetite: risk appetite refers to the amount of risk the University/School/Directorate is willing to accept in the pursuit of its objectives.
Risk Tolerance: risk tolerance refers to the boundaries of risk taking outside which the University/School/Directorate is not willing to venture in pursuit of its objectives.
Risk Capacity: risk capacity is the amount of risk the University/School/Directorate cannot exceed.
The red area in the diagram shows where the University/School/Directorate cannot venture in relation to risk. The area in green depicts where risk is in a comfortable range.