You have identified the risks on your project. You have scored them for probability and impact. Your risk register is populated and your heat map is colour-coded. Now comes the question that actually matters: what are you going to do about each one?
This is where treatment strategies come in. Every risk on your register needs a deliberate response, and there are exactly four options: avoid, mitigate, transfer, or accept. Understanding when to use each one is the difference between reactive firefighting and proactive risk management.
The four strategies at a glance
Strategy |
What it does |
When to use it |
Risk score after |
|---|---|---|---|
Avoid |
Eliminates the risk entirely by changing the plan |
When the risk is unacceptable and an alternative approach exists |
Zero (risk removed) |
Mitigate |
Reduces probability, impact, or both |
Most common; when you can take action to make the risk smaller |
Lower (residual risk) |
Transfer |
Shifts the financial or operational consequence to a third party |
When someone else is better positioned to bear the risk |
Same probability, reduced financial exposure |
Accept |
Acknowledges the risk and prepares for the consequences |
When the cost of treatment exceeds the potential impact, or the risk is unavoidable |
Unchanged |
Most risks on a typical project will be mitigated. A few will be transferred. Occasionally you will avoid or accept. The skill is in choosing the right strategy for each specific risk based on its score, the available options, and the cost of treatment.
Avoid: change the plan so the risk cannot happen
Avoidance is the most decisive strategy. You change your project plan, scope, approach, or technology so that the risk is eliminated entirely.
When it works well:
A software team planned to use an unproven third-party API for payment processing. During risk identification, they flagged the risk of API instability causing transaction failures. Score: 4 × 4 = 16 (High). Rather than accepting or mitigating that risk, they switched to a well-established payment provider with a proven track record. The risk disappeared.
A construction project planned to start excavation in December, risking frozen ground and weather delays. Score: 4 × 3 = 12 (High). By rescheduling excavation to March, the weather risk was avoided entirely.
When it does not work:
Avoidance often involves trade-offs. Switching to the established payment provider might cost more. Delaying excavation pushes the entire programme back by three months. You are eliminating one risk but potentially creating or increasing others.
You cannot avoid risks that are inherent to the project's purpose. If you are building a high-rise, you cannot avoid the risk of working at height. If you are launching a new product, you cannot avoid market risk. For these, mitigation or transfer is the right approach.
Documenting avoidance: In your risk register, mark the treatment strategy as "Avoid" and describe the plan change that eliminates the risk. The risk can then be closed, though it is worth keeping a note of what was changed so future projects understand why.
Mitigate: reduce the probability or impact
Mitigation is the workhorse of risk management. You take specific actions to make the risk less likely, less severe, or both. The risk still exists, but it is smaller and more manageable.
Reducing probability:
Cross-training team members reduces the probability that a single person's departure will halt the project. Running a pilot test reduces the probability that a full deployment will fail. Ordering materials early reduces the probability that supply chain delays will affect your schedule.
Reducing impact:
Building schedule buffer into the critical path reduces the impact of individual task delays. Setting up a backup server reduces the impact of a primary server failure. Carrying contingency budget reduces the impact of cost overruns.
Reducing both:
Sometimes a single action addresses both dimensions. A thorough site investigation before construction reduces both the probability of encountering unexpected ground conditions (because you now know what is there) and the impact if something unexpected is found (because you have time to adjust the design).
The mitigation plan should be specific. "Monitor the situation" is not mitigation. Effective mitigation actions have:
- A clear description of what will be done
- An owner responsible for doing it
- A deadline for completion
- A way to verify it was done
For example: "James to complete cross-training documentation for the legacy database migration by April 15. Maria to review and confirm coverage by April 18."
Residual risk: After mitigation, rescore the risk to get the residual score. If the inherent score was 16 (High) and your mitigations bring it down to 8 (Medium), that is a meaningful improvement. If it is still 15, your mitigation plan is not strong enough and needs rethinking.
Transfer: shift the consequence to someone else
Risk transfer does not make the risk go away. The event can still happen. What changes is who bears the financial or operational consequences.
Insurance is the most familiar form of risk transfer. You pay a premium to transfer the financial impact of specific events (fire, theft, liability, professional negligence) to an insurer. The risk of the event occurring has not changed, but your financial exposure is capped.
Contractual transfer is common in construction and outsourcing. A fixed-price contract transfers cost overrun risk to the contractor. A penalty clause for late delivery transfers schedule risk to the supplier. A warranty transfers defect risk to the manufacturer.
Outsourcing transfers operational risk. If you hire a specialist security firm for your event, you are transferring the operational risk of crowd management to a team with more experience and capability than your own.
Important caveats about transfer:
Transfer does not eliminate accountability. If your subcontractor's work fails, you may have contractual recourse, but your project is still delayed and your client is still unhappy. Transfer the financial risk, but do not transfer your attention.
Transfer has a cost. Insurance premiums, the markup on a fixed-price contract, the fee for a specialist firm: these are all the price of transferring risk. Sometimes that price is worth paying. Sometimes it is cheaper to mitigate the risk yourself.
You can only transfer risks to parties who are willing and able to bear them. Pushing risk onto a subcontractor who cannot absorb it just means the risk comes back to you when they fail.
Accept: acknowledge it and prepare
Acceptance is the right strategy when the cost of avoiding, mitigating, or transferring the risk exceeds the expected impact, or when the risk is simply outside your ability to influence.
Active acceptance means you acknowledge the risk and prepare a contingency plan in case it happens. You do not try to prevent it, but you are ready to respond. A contingency budget is a form of active acceptance: you are setting money aside for risks that may or may not materialise.
Passive acceptance means you acknowledge the risk and choose to deal with it if and when it happens, without a pre-planned response. This is appropriate only for low-scoring risks where even the contingency planning effort would be disproportionate to the potential impact.
Example of active acceptance: Your outdoor event faces the risk of light rain. Probability: 4 (Likely). Impact: 1 (Negligible, because the venue has covered areas and attendees can manage). Score: 4. You accept the risk actively by having umbrellas available and a wet-weather announcement prepared, but you do not change the event plan.
Example where acceptance is wrong: A Critical-scored risk (20 to 25) should almost never be accepted. If the potential impact is catastrophic and the probability is high, acceptance is not a strategy but an abdication of responsibility. These risks demand avoidance or aggressive mitigation.
Choosing the right strategy
There is no formula for choosing between the four strategies. It is a judgement call informed by the risk score, the available options, and practical constraints. But here are some guidelines:
Start with the score. Critical risks (20 to 25) demand avoidance or aggressive mitigation. High risks (12 to 19) need active mitigation or transfer. Medium risks (6 to 11) can often be mitigated with proportionate effort or actively accepted. Low risks (1 to 5) are usually accepted with periodic monitoring.
Consider the cost of treatment. If mitigating a risk costs more than the expected impact of the risk itself, acceptance may be the rational choice. But be honest about the full cost of the impact, including indirect costs like reputation damage, team morale, and knock-on effects to other projects.
Consider who is best placed to manage the risk. If a specialist contractor has more experience managing a particular type of risk, transfer might be more effective than attempting to mitigate it yourself. If the risk is entirely within your team's control, mitigation is usually the most direct approach.
Consider combinations. You can combine strategies. Mitigate the probability while transferring the remaining financial impact (for example, implement fire prevention measures and carry fire insurance). Accept a risk overall but maintain a contingency plan for the worst-case scenario.
Documenting treatment strategies
Every risk in your register should have a documented treatment strategy. At minimum, record:
- The chosen strategy (avoid / mitigate / transfer / accept)
- The specific actions or arrangements that implement that strategy
- Who is responsible (the risk owner)
- The expected residual risk score after treatment
This documentation serves two purposes. It makes the treatment plan visible to the team, so everyone knows what is being done. And it creates accountability: someone is on the hook for making sure the strategy is actually executed.
Track your treatment strategies and actions in one place. Riskjar lets you set the strategy for each risk and attach specific actions with owners, due dates, and completion tracking. The whole team sees what is being done and what is overdue. Try it free.