What Is Risk Treatment in ISO Standards? Definition and Examples

Risk Treatment in ISO Standards: What It Actually Means

Risk treatment is one of those terms that appears constantly across ISO standards, yet many businesses implementing a management system for the first time are not entirely sure what it means in practice. If you have been working through ISO 9001, ISO 27001, ISO 45001, or any standard built on the ISO 31000 risk management framework, you have almost certainly come across this term. So let us break it down clearly.

At its core, risk treatment refers to the process of selecting and implementing options to address identified risks. Once you have assessed a risk and decided it needs attention, risk treatment is the step where you actually do something about it. It is not just about eliminating risk entirely. In fact, that is rarely possible or even desirable. Risk treatment is about choosing the right response based on the nature of the risk, its potential impact, and the resources available to your organisation.

This article covers the formal definition, the main treatment options, how they apply across different ISO standards, and practical examples to help you apply these concepts in your own business.

The Formal Definition of Risk Treatment

ISO 31000:2018, the international standard for risk management, defines risk treatment as the process to modify risk. That definition is deliberately broad. The modification could mean reducing the likelihood of a risk occurring, reducing its consequences if it does occur, sharing the risk with another party, or simply accepting it after informed consideration.

The key word here is “process.” Risk treatment is not a one-time decision. It involves identifying treatment options, evaluating those options, preparing a treatment plan, implementing that plan, and then monitoring whether the treatment is working. This ongoing nature is why risk treatment sits within the broader Plan-Do-Check-Act cycle that underpins most ISO management systems.

It is also worth noting that risk treatment applies to both negative risks (threats) and positive risks (opportunities). ISO standards like ISO 9001:2015 explicitly ask organisations to address risks and opportunities together. So when you see the phrase “risks and opportunities” in a standard, risk treatment applies to both sides of that equation.

The Five Main Risk Treatment Options

ISO 31000 outlines five primary options for treating risk. These are not mutually exclusive. In practice, you will often combine two or more of them for a single risk. Here is what each one means and when to use it.

1. Risk Avoidance

Risk avoidance means deciding not to start or continue the activity that gives rise to the risk. This is the most definitive treatment option because it eliminates the risk entirely by removing the source. If a construction company identifies that a particular subcontractor consistently delivers non-conforming work and poses a serious quality risk, the avoidance option would be to stop using that subcontractor altogether.

Avoidance sounds appealing, but it comes with a trade-off. Avoiding a risk often means forgoing a potential opportunity. A software company that refuses to move any data to cloud infrastructure to avoid cybersecurity risk might also be avoiding the efficiency and scalability benefits that cloud offers. Risk avoidance should be chosen when the risk is genuinely unacceptable and no other treatment option can bring it to a tolerable level.

2. Risk Reduction (Mitigation)

Risk reduction involves taking actions to lower the likelihood of a risk occurring, reduce its consequences, or both. This is the most commonly applied treatment option across ISO management systems. It is the practical, hands-on response to a risk that you cannot or do not want to avoid entirely.

A food manufacturer implementing ISO 22000 might identify a risk of contamination at a particular processing stage. The risk reduction treatment could include installing physical barriers, increasing inspection frequency, training staff on hygiene protocols, and updating cleaning procedures. Each of these actions reduces either the probability or the impact of contamination without stopping production entirely.

When an auditor reviews your risk register, they will typically look closely at whether your reduction controls are specific, documented, assigned to a responsible person, and actually implemented. Vague statements like “we will monitor this” are not sufficient treatment plans.

3. Risk Sharing (Transfer)

Risk sharing means distributing the risk with one or more other parties. The most familiar form of this is insurance. When a business takes out professional indemnity insurance, it is sharing the financial consequences of a professional liability risk with the insurer. Outsourcing a high-risk activity to a specialist provider is another form of risk sharing. If a small IT company outsources its data centre operations to a specialist provider with ISO 27001 certification, it is sharing the information security risk associated with physical infrastructure management.

It is important to understand that risk sharing does not eliminate accountability. Under ISO standards, particularly ISO 27001 and ISO 9001, you remain responsible for the outcomes even when you share or transfer a risk. This is why controlling outsourced processes is a specific requirement in these standards. You need to monitor the performance of whoever is sharing the risk with you.

4. Risk Acceptance (Retention)

Risk acceptance means making a deliberate, informed decision to retain a risk without taking specific action to modify it. This is appropriate when the cost of treating the risk exceeds the potential benefit, or when the risk falls within your organisation's defined risk tolerance. The critical word here is “informed.” Passive ignorance of a risk is not acceptance. Acceptance requires a conscious decision, usually documented and approved at an appropriate level of authority.

A small professional services firm might identify a risk that a key client could leave, reducing revenue by 15 percent. After evaluating the cost of diversifying their client base versus the probability and impact of the risk, they might accept the risk and note it in their risk register with a review date. That is legitimate risk acceptance. What is not legitimate is simply failing to address a risk and calling it “accepted.”

5. Risk Exploitation (for Opportunities)

This option applies specifically to positive risks, or opportunities. Risk exploitation means taking deliberate action to ensure the opportunity is realised. If a manufacturer identifies a new market segment that could increase revenue by 30 percent, exploiting that opportunity might involve investing in new production capacity, pursuing relevant certifications, or entering a new distribution agreement. ISO 9001:2015 explicitly requires organisations to consider opportunities alongside threats, and this treatment option is how you respond to the positive side of the risk equation.

How Risk Treatment Appears Across Different ISO Standards

Risk treatment is not isolated to ISO 31000. It appears in specific, practical forms across every major management system standard. Understanding how it manifests in the standards you are working with will help you implement it correctly.

Risk Treatment in ISO 9001 Quality Management

ISO 9001:2015 does not use the term “risk treatment” explicitly, but Clause 6.1 requires you to determine risks and opportunities and plan actions to address them. Those actions are, in effect, risk treatment. The standard also requires that you evaluate the effectiveness of those actions, which aligns with the monitoring and review step in ISO 31000's treatment process.

A practical example: a small manufacturer identifies a risk that a single-source supplier could cause production delays. Their treatment plan might include qualifying a second supplier (risk reduction), holding additional safety stock (risk reduction), and including supplier performance clauses in contracts (risk sharing). Each of these is a treatment action that would be documented in the quality management system and reviewed at management review meetings.

Risk Treatment in ISO 27001 Information Security

ISO 27001 has one of the most structured risk treatment frameworks of any management system standard. Clause 6.1.3 specifically requires organisations to produce a Risk Treatment Plan and a Statement of Applicability. The treatment options in ISO 27001 are described as modify, retain, avoid, and share, which maps directly to the ISO 31000 options.

What makes ISO 27001 distinctive is the requirement to select controls from Annex A (or justify why certain controls are not applicable) as part of the treatment process. So if you identify a risk related to unauthorised access to sensitive data, your treatment might involve implementing access controls, multi-factor authentication, and encryption. Each of these is a control selected from Annex A as part of your formal risk treatment plan. If you are working through this for the first time, the ISO 27001 risk assessment guide for non-technical business owners is a helpful starting point.

Risk Treatment in ISO 45001 Occupational Health and Safety

In ISO 45001, risk treatment takes the form of the hierarchy of controls. This hierarchy is a structured approach to selecting treatment options, listed from most to least effective: elimination, substitution, engineering controls, administrative controls, and personal protective equipment. This hierarchy is itself a risk treatment decision-making framework.

For example, if a warehouse operation identifies a risk of forklift and pedestrian collision, the hierarchy guides the treatment response. Elimination might mean redesigning the workflow so forklifts and pedestrians never occupy the same space. If elimination is not feasible, substitution might involve replacing forklifts with automated guided vehicles in pedestrian zones. Engineering controls could include physical barriers and designated walkways. Administrative controls might include traffic management procedures and training. PPE would be the last resort. The hierarchy ensures that the most effective treatment options are considered first.

Risk Treatment in ISO 14001 Environmental Management

ISO 14001 applies risk treatment primarily through its environmental aspects and impacts framework. When a significant environmental aspect is identified, the organisation must determine controls to manage it. These controls are the treatment. For a manufacturing business that generates hazardous waste, treatment options might include process changes to reduce waste generation (avoidance and reduction), contracting a licensed waste disposal company (sharing), and implementing spill containment systems (reduction).

Building a Risk Treatment Plan That Satisfies Auditors

A risk treatment plan is the documented output of your risk treatment process. It is one of the documents auditors will review closely during a certification audit. A good risk treatment plan includes the following elements for each identified risk.

• A clear description of the risk, including its source, potential consequences, and current likelihood and impact rating.
• The selected treatment option or options, with a brief rationale for why that option was chosen.
• Specific actions to implement the treatment, not vague commitments.
• Responsible persons assigned to each action.
• Target completion dates for each action.
• Residual risk rating after treatment, showing what the expected risk level will be once the treatment is in place.
• Review dates to assess whether the treatment has been effective.

One of the most common findings during certification audits is a risk register that identifies risks but has no meaningful treatment actions attached to them. Auditors are not looking for perfection. They are looking for evidence that your organisation has thought carefully about its risks and has a credible, implemented plan to manage them. Vague or generic treatments will draw scrutiny.

Common Mistakes in Risk Treatment

After years of auditing management systems, the same mistakes appear repeatedly. Here are the ones that cause the most problems.

Treating Risk Assessment as a One-Off Exercise

Risk treatment is not something you do once during implementation and then forget about. Risks change as your business, your industry, and your operating environment change. Your treatment plans need to be reviewed regularly, at least annually as part of management review, and whenever there is a significant change to your business context. A treatment that was adequate two years ago may no longer be sufficient.

Confusing Controls With Treatment Plans

Having a control in place is not the same as having a treatment plan. A treatment plan documents the decision-making process, the rationale for the chosen option, and the monitoring approach. Simply listing “we have a firewall” as your treatment for a cybersecurity risk is not a treatment plan. It is a partial description of a control. The plan should explain why the firewall was selected, what it is configured to do, who is responsible for maintaining it, and how its effectiveness is monitored.

Accepting Risks Without Proper Authority

Risk acceptance requires explicit authorisation at an appropriate level. A junior staff member should not be accepting high-level risks on behalf of the organisation. Your risk management framework should define who has the authority to accept risks at different levels, and that authority should be documented. Auditors will ask who approved risk acceptance decisions, and “we just decided it was fine” is not an acceptable answer.

Ignoring Residual Risk

After you implement a treatment, the risk does not disappear. What remains is called residual risk. Your treatment plan should include an assessment of residual risk, and you need to confirm that the residual risk level is within your organisation's risk tolerance. If it is not, additional treatment options need to be considered.

Risk Treatment and the Broader Risk Management Process

Risk treatment does not exist in isolation. It sits within a broader risk management process that begins with establishing context, moves through risk identification and assessment, and then reaches treatment. After treatment, the process continues with monitoring, review, and communication. Understanding ISO terminology around this broader process helps you see where treatment fits and why each step matters.

The relationship between risk treatment and your management system's objectives is also important. Treatment actions should be designed to protect your ability to achieve your objectives, whether those are quality objectives under ISO 9001, information security objectives under ISO 27001, or environmental objectives under ISO 14001. If a treatment plan does not connect back to your organisational objectives, it may be addressing the wrong thing.

Getting Help With Risk Treatment During Certification

If you are implementing a management system for the first time and working through risk treatment requirements, it is genuinely one of the areas where experienced guidance makes a significant difference. Getting the risk assessment and treatment framework right early saves considerable rework later, particularly when you are preparing for a Stage 1 or Stage 2 certification audit.

If you are looking for a consultant who understands risk treatment requirements across specific standards and industries, CertBetter can help. You submit one form and receive up to three competing quotes from verified ISO consultants and accredited certification bodies. The service is free for businesses, and all providers on the platform are vetted. It is a straightforward way to find someone who knows what auditors actually look for in a risk treatment plan.