What is Risk avoidance?

Understanding Risk avoidance

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination. Risk avoidance is a risk treatment strategy where an organization decides not to engage in or discontinues an activity to eliminate exposure to a particular risk. This approach is appropriate when risks cannot be reduced to an acceptable level through other means or when the potential impact outweighs the benefits. Risk avoidance is defined in standards like ISO 31000 ISO 27001 and NIST RMF. Organizations implement risk avoidance through business impact analysis alternative solution evaluation and formal decision processes balancing security and business needs. For example after analyzing the risks of storing customer payment card data an e-commerce company might implement a risk avoidance strategy by deciding not to store any card data on their systems instead using a third-party payment processor that tokenizes transactions completely eliminating their exposure to payment card data breaches while still enabling customer purchases. Related terms Risk treatment Business impact analysis Alternative solutions Risk-based decision making Inherent risk Risk appetite Opportunity cost Strategic planning.