(ISC)2 Certified in Cybersecurity Practice Exam

Which of the following describes the implementation of controls to reduce potential risk impact?

• A. Risk Treatment
• B. Risk Management
• C. Risk Avoidance
• D. Risk Mitigation

The correct answer is: Risk Mitigation

The implementation of controls to reduce potential risk impact is best described as risk mitigation. This concept refers specifically to the strategies and measures that an organization puts in place to lessen the severity or likelihood of risks. By applying various controls—such as security measures, policies, or practices—an organization is essentially decreasing the potential negative effects that could arise from various risks. Risk mitigation encompasses a wide array of actions that can include technical controls, procedural changes, and training initiatives designed to protect the organization from inherent risks. By focusing on reducing the potential impact, risk mitigation effectively safeguards assets and helps maintain operational integrity. On the other hand, risk treatment refers to the overall process of selecting and implementing measures to modify risk, which includes risk mitigation alongside other strategies such as risk acceptance, transfer, or avoidance. Risk management is a broader term that encompasses the identification, assessment, and prioritization of risks, along with the coordinated application of resources to minimize, control, or monitor the probability and impact of adverse events. Risk avoidance involves completely eliminating the risk by stopping the affected activity altogether, which is different from simply reducing risk impact.