Which statement best describes how risk treatment functions in POA practice?

Risk treatment in POA practice is about choosing and applying controls that lower risk to an acceptable level, and ordering those actions by how much risk they reduce and how likely the risk is. The idea is to rank mitigations using impact and likelihood so the most significant risks get addressed first, while recognizing you can’t eliminate all risk. The goal is to bring residual risk within the organization’s risk appetite, using a mix of procedural, physical, technical, or contractual safeguards chosen for feasibility and cost-effectiveness. In short, it’s proactive risk reduction to an acceptable level, not a pursuit of perfect safety; decisions aren’t made by cost alone, nor are they postponed until after incidents, and they should consider the actual risk rather than just expenses.