What should be the starting point in the risk treatment process?

The starting point in the risk treatment process should indeed focus on identifying unacceptable risks. This step is crucial because it establishes a clear understanding of which risks pose a significant threat to the organization and its assets. By identifying these unacceptable risks, an organization can prioritize its responses and allocate resources effectively to mitigate those risks.

Identifying unacceptable risks helps organizations to determine the level of risk they are willing to accept and which risks must be treated because they exceed that acceptable level. It forms the foundation upon which further risk assessment and treatment decisions are made. This ensures that the organization concentrates its efforts on the most pressing threats, ultimately aiming to protect sensitive information and maintain compliance with regulations, such as ISO 27001.

Developing new risk management standards, creating an organizational budget, or hiring new management personnel may be important activities but do not directly address the immediate need to assess and understand specific risks facing the organization. These activities can follow the identification of unacceptable risks, but they do not constitute the starting point for the risk treatment process.