Risk assessment and risk treatment

Analyse des risques et traitement du risque

Move from identifying assets, threats, and vulnerabilities to selecting a treatment path and linked controls.

Lesson overview

Risk assessment asks what could go wrong, why it matters, and how likely it is. Risk treatment asks what the business will do about it.

Professional explanation

A usable method identifies assets, threat scenarios, vulnerabilities, likelihood, impact, and risk criteria, then records treatment choices such as mitigate, avoid, transfer, or accept.

Practical example

A company may accept a low-risk marketing website issue, mitigate privileged-access risk, transfer some supplier outage exposure, and avoid a risky unsupported legacy workflow altogether.

Content blocks

A risk statement needs structure

Une déclaration de risque a besoin de structure

Good risk assessment does not stop at vague danger words. It names the asset, threat, vulnerability, consequence, and owner clearly enough to support treatment.

Treatment is a business decision

Le traitement est une décision métier

Mitigate, avoid, transfer, and accept are not just labels. They are management decisions that must fit cost, exposure, and business reality.

Examples and callouts

Logging and access review are strong mitigation responses for privileged-access abuse risk.

Cyber insurance may transfer part of the financial exposure of certain incidents, but it does not replace governance or evidence.

Keep the method teachable

Garder la méthode compréhensible

A simple, consistently used method is better than a complex method nobody can explain in an audit.

Auditors look for logic, not theatrics

Les auditeurs cherchent une logique, pas du théâtre

They usually want to see consistent criteria, a clear register, ownership, and evidence that treatment actions are tracked.

Interactive prompt

For one scenario, list an asset, a threat, and a vulnerability, then choose a treatment and justify it in business language.

Learning objectives

Build a basic risk scenario correctly. / Construire correctement un scénario de risque de base.
Understand likelihood and impact scoring. / Comprendre la cotation vraisemblance et impact.
Connect treatment choices to controls and evidence. / Relier les choix de traitement aux mesures et à la preuve.

Learning outcomes

Build a credible learner-friendly risk register. / Construire un registre de risques crédible et pédagogique.
Choose between mitigate, avoid, transfer, and accept. / Choisir entre réduire, éviter, transférer et accepter.
Prepare for the Risk Lab and SoA builder. / Se préparer au Risk Lab et au générateur de SoA.

Key artifacts

Risk method / Méthode de risque
Risk register / Registre des risques
Treatment plan with owners / Plan de traitement avec responsables

Recap summary

Risk assessment identifies and evaluates exposure. / L'analyse des risques identifie et évalue l'exposition.
Risk treatment records the response choice. / Le traitement du risque enregistre le choix de réponse.
Selected controls should trace back to treated risks. / Les mesures retenues doivent pouvoir être reliées aux risques traités.

Continue from here

Open the risk labOuvrir le risk lab Turn risk into SoA logicTransformer le risque en logique de SoA

Interactive exercise

Module checkpoint

Answer in either language. The quiz uses the same underlying concept, not literal duplicated wording.

Answered0/2

What comes first in a sensible risk workflow?

What does risk treatment decide?