Risk Management: Avoid, Accept, Mitigate, Transference

When you make a cup of coffee, you are aware that it has some sort of risks, such as dropping boiling water or being shocked by the kettle’s steel body, burning your tongue. However, you take precautions to reduce those risks, such as controlling the current in the outlets, and not taking a sip before it is warm. You then balance the risks and decide that the benefits exceed the risks. Although they have some similarities, we take a more formal look when identifying, assessing, and managing the risks our business encounters. In this blog post, we will cover how to manage risks.

To properly detect and deal with the risks to our systems, we take specific actions. These are the steps that we follow in the risk analysis process.

  • Define the most valuable assets.
  • Determine any threats to these assets.
  • Identify the probability of each risk happening.
  • And lastly, we take some steps to manage.

What is risk management?

Following the prioritizing of your risks, you should proceed to manage the risks that you face. When you deal with a specific danger, you have these four options: risk avoidance, risk mitigation, risk acceptance, or risk transference.

Risk Avoidance

The most basic response is to avoid risk. You choose the first option when the risk outweighs the benefits. For example, you think sharing personal information or using social media during working hours reduces performance and poses a risk. Your system admin may prohibit your employee’s access to some sites during working hours.

Risk Mitigation

The most common reaction to attacks that represent a high risk to a system is risk mitigation. As an administrator, you can use this risk management strategy to take proactive actions to limit or reduce the risk presented to an asset. A firewall between an attacker and your virtual private network, reduces the probability of an assault on your site.

Risk Acceptance

You may also opt to accept a certain risk as a cost of conducting business, which is known as risk acceptance. This is frequently the case when the odds of a risk occurring are exceedingly distant or when the potential harm caused by the risk is minor. When you decide to accept a risk, they do nothing and carry on as if the danger did not exist. For example, your company has financial problems and you decide to send employees home to cut some office costs.

Risk Transference

Your last option is to simply shift the risk to someone else which is also known as risk transference. An example of risk transference in daily life is insurance policies.


In this post, we have covered what is risk management and its components:

  • avoidance,
  • acceptance,
  • mitigation,
  • and transference.

Organizations frequently employ a combination of these tactics. In many circumstances, especially when dealing with major risks, you may want to employ a combination of the strategies listed above.

It is an organization’s general management’s obligation to structure the information technology and information security operations in order to safeguard the enterprise assets.

Interested in information security governance, risk and compliance? Enrol in MCSI’s MGRC - Certified GRC Expert.