LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

If you apply all four risk-treatment strategies sequentially to a risk, what's left at the end?

Restrisiko (residual risk) — the slice of risk that remains after Avoid + Reduce + Transfer, which you must consciously accept (or, if too large, refuse to accept and iterate).

The standard sequence (left → right, each bar lower than the last):

  1. Original risk (full CHF amount).
  2. VERMEIDEN/Avoid — slice off the part you decide simply not to engage with.
  3. REDUZIEREN/Reduce — controls drop likelihood and/or impact.
  4. VERSCHIEBEN/Transfer — insurance/outsourcing covers another slice.
  5. AKZEPTIEREN/Accept — what's left = Restrisiko (residual risk).

Beyond Akzeptieren lies Chancen (opportunities/upside) — accepting risk is also accepting the chance of value you wouldn't have if you avoided everything.

Critical point: Residual risk doesn't have to be accepted.

If the residual is still too large vs. risk appetite, the standard says go back and iterate — find more controls, raise the budget, or step out of the activity. The process loop in ISO 27005 has an explicit "Treatment satisfactory? No → loop back" decision point exactly for this.

Why insurance is highlighted as the special case:

  • Insurance is the only category that moves CHF without changing the underlying technical risk.
  • It's effectively useless for damages your business can't survive long enough to collect on, or that insurers exclude (NotPetya: many "war exclusion" denials).

From Quiz: ISF / Risk Management | Updated: Jun 25, 2026