If you apply all four risk-treatment strategies sequentially to a risk, what's left at the end?
Restrisiko (residual risk) — the slice of risk that remains after Avoid + Reduce + Transfer, which you must consciously accept (or, if too large, refuse to accept and iterate).
The standard sequence (left → right, each bar lower than the last):
- Original risk (full CHF amount).
- VERMEIDEN/Avoid — slice off the part you decide simply not to engage with.
- REDUZIEREN/Reduce — controls drop likelihood and/or impact.
- VERSCHIEBEN/Transfer — insurance/outsourcing covers another slice.
- AKZEPTIEREN/Accept — what's left = Restrisiko (residual risk).
Beyond Akzeptieren lies Chancen (opportunities/upside) — accepting risk is also accepting the chance of value you wouldn't have if you avoided everything.
Critical point: Residual risk doesn't have to be accepted.
If the residual is still too large vs. risk appetite, the standard says go back and iterate — find more controls, raise the budget, or step out of the activity. The process loop in ISO 27005 has an explicit "Treatment satisfactory? No → loop back" decision point exactly for this.
Why insurance is highlighted as the special case:
- Insurance is the only category that moves CHF without changing the underlying technical risk.
- It's effectively useless for damages your business can't survive long enough to collect on, or that insurers exclude (NotPetya: many "war exclusion" denials).