How do you perform risk treatment and choose mitigations in Annex B?

The idea being tested is how to approach risk treatment in a structured way and pick mitigations. Start by assessing the risk level, usually by considering how likely the event is and how severe its impact would be. With that understanding, you choose a treatment approach that fits the situation: reduce the risk by adding controls or actions that lower either the probability of the event or the severity of its consequences; transfer the risk to someone else (for example, through contracts or insurance); avoid the risk entirely by changing plans so the risk no longer applies; or accept the risk if the remaining level is within acceptable tolerance. Importantly, you document the rationale for why a particular mitigation was chosen, so decisions are transparent and auditable, and you assign responsibility and resources with timelines. After implementing the mitigation, you re-check the residual risk to ensure it aligns with the organization’s risk appetite. The emphasis on a clear assessment, deliberate selection of mitigation strategies, and documented justification distinguishes this approach from ad hoc or undocumented practices.