CISM Domain 2 - Risk Treatment / Risk Response MindMap

Hey, I’m Nick from Destination Certification, and I’m here to help YOU pass the CISM exam.

In this video, we’re going to go through a review of the major topics related to Risk Treatment / Risk Response in Domain 2, to understand how they interrelate, and to guide your studies. 

This is the third and final of three mind map videos for domain 2. I have included links to the other MindMap videos in the description below. These MindMaps are one part of our complete CISM MasterClass.

Terminology

As always, it’s important to think of terminology.

Understanding risk terminology creates a common language for risk discussions across your organization. These foundational concepts shape how organizations think about and respond to risks. 

Risk appetite

Starting with risk appetite. It defines the amount and type of risk an organization willingly accepts in pursuit of its objectives. This strategic decision guides all risk-taking activities.

Risk tolerance

Next up, risk tolerance represents the acceptable variation in outcomes related to specific objectives. While appetite sets overall direction, tolerance defines acceptable boundaries for individual risks.

Risk capacity

Risk capacity measures the maximum amount of risk an organization can absorb without threatening its survival or fundamental objectives.

Inherent/Residual risk

Inherent risk exists before any controls are applied, representing the raw exposure. Residual risk remains after controls are implemented. For example, a public-facing web server has high inherent risk, but proper firewalls and monitoring reduce this to acceptable residual levels.

Treatment Options

Now that we’re properly scared by thinking of all of the risks that exist out there, let’s talk about treatment options. So rather than just staying spooked, let’s look at the practical ways to keep those risks under control.

Organizations employ four fundamental strategies when responding to identified risks, each appropriate for different risk scenarios and organizational contexts. The selection of treatment options depends on factors including risk severity, cost-benefit analysis, organizational capabilities, and strategic priorities. Effective risk management often combines multiple treatment strategies for comprehensive coverage. Understanding when and how to apply each option enables organizations to optimize their risk response portfolio.

Avoid

Risk avoidance eliminates the risk by not engaging in the activity that creates it. Sometimes the smartest security move isn’t to fight harder but to walk away — like avoiding a market that’s basically a minefield or dropping a process that’s more trouble than it’s worth.

Transfer

Risk transfer shifts the financial impact to another party, typically through insurance or contractual agreements. It is basically passing the hot potato. The problem still happens, but someone else gets burned.

Mitigate

Risk mitigation reduces either the likelihood or impact of risks through controls and safeguards. Security controls, redundancy, and training programs all serve as mitigation measures.

Accept

Risk acceptance is basically saying, ‘Yep, we see the risk — and we’re fine with it.’ It’s the call you make when fixing the problem costs more than just living with it.

Risk Insurance Types

Now that we know all of the treatment options, let’s talk about Risk Insurance Types.

Modern organizations require specialized insurance coverage addressing technology-specific risks beyond traditional property and casualty policies. Cyber insurance has evolved into a critical risk transfer mechanism, offering protection against data breaches, system failures, and digital business interruptions. Knowing the coverage options lets organizations mix and match policies into a security safety net that actually fits — without paying champagne prices for soda-water risks

IT equipment

Cyber attacks

Second up, cyber attack insurance provides coverage for losses resulting from malicious digital activities including ransomware, data breaches, and system compromises.

Business disruptions

Fidelity insurance

Computer related media

3rd party claims and liability

Third party liability coverage protects organizations when their technology failures or data breaches harm external parties. That means if customer data leaks or a service outage impacts clients, the policy helps cover the fallout — from hiring lawyers and paying settlements to handling hefty regulatory fines

Errors and omissions

Errors and omissions insurance covers professional liability for technology services providers. When software bugs, implementation errors, or inadequate security measures cause client losses, this coverage protects against resulting claims and lawsuits.

Media in transit

Finally, media in transit insurance covers data loss or exposure during physical transportation of storage media. As organizations move backup tapes, hard drives, or other media between locations, this coverage protects against theft, loss, or unauthorized access during transport.

Risk Frameworks

Covering risks one by one is fine, but without a framework, it’s like playing whack-a-mole. Risk frameworks provide the structure that keeps the whole system under control and they will be the last major concept we cover in this video.

Risk frameworks provide structured methodologies for implementing consistent, repeatable risk management processes across organizations. These frameworks represent accumulated wisdom from decades of risk management practice, offering proven approaches for identifying, assessing, treating, and monitoring risks. Organizations select frameworks based on their industry, regulatory requirements, and organizational maturity. Many organizations combine elements from multiple frameworks, creating hybrid approaches tailored to their specific needs. Frameworks give risk teams their Rosetta Stone: a way to speak boardroom and regulator at the same time.

NIST 800-37

First up, NIST 800-37 provides the Risk Management Framework for federal information systems. This six-step process guides organizations through categorizing, selecting, implementing, assessing, authorizing, and monitoring security controls throughout the system lifecycle.

NIST 800-39

Next, NIST 800-39 establishes integrated enterprise-wide risk management across three tiers: organization, mission/business process, and information system. This framework ensures risk decisions align with organizational objectives and risk tolerance at all levels.

ISO 31000

ISO 31000 provides universal risk management principles and guidelines applicable across all industries and risk types, emphasizing integration with organizational processes.

COSO

Moving on, COSO Enterprise Risk Management framework integrates risk management with strategy and performance, helping organizations manage risks while creating, preserving, and realizing value.

ISACA Risk IT

Finally, ISACA Risk IT framework specifically addresses IT-related business risks, providing guidance for risk governance, evaluation, and response. This framework bridges the gap between generic risk management and IT-specific risk considerations organizations face.

And that is an overview of Risk Treatment within Domain 2, covering the most critical concepts you need to know for the exam.

Something really cool we are providing with these MindMap videos is a completely FREE downloadable version of all the MindMaps in PDF format. We even include a blank version of each MindMap in case you want to print them out and take notes as you listen along. Link to download the MindMaps is in the description below.

If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.

I will provide links to the other MindMap videos in the description below.

Thanks very much for watching! And all the best in your studies