What are the four standard risk-treatment strategies, and when does each apply?
VERMEIDEN (avoid) · REDUZIEREN (reduce) · VERSCHIEBEN/TRANSFER (transfer) · AKZEPTIEREN (accept).
| Strategy | What it means | Typical use | Position on matrix |
|---|---|---|---|
| VERMEIDEN (Avoid) | Don't take the risk at all — stop the project, exit the market | When risk is so high or so poorly understood that engagement is irresponsible | Top-right (high likelihood, high impact) |
| REDUZIEREN (Reduce) | Lower likelihood and/or impact via technology and process | The default for most cyber risks — firewalls, ISMS/ISO 27001, training | Likely + medium impact |
| VERSCHIEBEN (Transfer) | Move the financial consequence to a third party — insurance, outsourcing | Rare-but-severe events that are uneconomical to fully control | Low likelihood, high impact |
| AKZEPTIEREN (Accept) | Live with the risk; the upside outweighs the downside | Low likelihood and low impact | Bottom-left (green zone) |
Crucial nuance: Accountability ≠ Responsibility.
You can transfer the risk handling (outsource the SOC, buy insurance) — but the accountability for the asset always remains with the organisation. If your outsourced cloud provider leaks customer data, your customers blame you, regulators fine you, and your CEO testifies — not the provider.
Tip: Mnemonic — the four verbs Avoid · Reduce · Transfer · Accept (German VRVA — Vermeiden, Reduzieren, Verschieben, Akzeptieren). NIST and ISO 27005 use slightly different words for the same four: Risk Modification (reduce), Retention (accept), Avoidance, and Sharing (transfer).