Risk treatment involves identifying, analyzing, and evaluating risks. Organizations should label the risk as high, medium, or low during the assessment period. Then, the organization should create a risk treatment based on its decisions about the sensitivity of the information and the likelihood it could be compromised.