Risk Management: The 4 Strategies You Need to Know
When a company has identified and assessed a risk, there are four main strategies it can use to deal with it:
.webp)
Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.
Read more from the author- Avoid the risk
- Reduce the risk
- Transfer the risk, or
- Accept the risk
In this article, we explore what each strategy means – and how to apply them in practice.
1 – Avoid the Risk
This means steering clear of the risk altogether. A business may choose not to pursue an activity that brings the risk in the first place.
Example from data protection: When hiring new employees, an organisation collects information about their health or past criminal convictions. If this data were to fall into the wrong hands, the consequences could be severe. To avoid this risk, the company could simply decide not to collect such information at all.
{{factbox-dark}}
2 – Reduce the Risk
If a risk can’t be avoided, it may be possible to reduce it. Risk is calculated as the product of likelihood and impact – so lowering either one reduces the overall risk.
Many information security measures aim to reduce likelihood: Firewalls, access controls and phishing awareness training are all designed to prevent incidents from happening in the first place.
Other controls target the impact side: A strong backup strategy can significantly reduce downtime and damage following a ransomware attack, for instance.
3 – Transfer the Risk
Sometimes, it makes sense to shift the risk to a party better equipped to manage it.
You might:
- Outsource parts of your data processing to a provider with stronger cybersecurity controls
- Or take out insurance to cover certain risks
{{factbox-light}}
4 – Accept the Risk
In many cases, organisations simply choose to accept the risk. And that can be a valid decision – provided it's informed and deliberate.
You might accept a risk if:
- It’s low
- It can’t reasonably be avoided, reduced or transferred
- Or the cost of mitigating it outweighs the potential impact
What matters is how the decision is made. A structured process should define who can accept risks – and at what level.
For example:
- Minor (green/yellow) risks might be accepted by a risk owner or security specialist
- Major (red) risks often require executive approval
🔗 Read more on the role of leadership in risk and security work:
Resources on Risk Management
Risk management is a core element of effective data protection and information security. Here are some resources to explore further:
- Effective risk management: A guide for privacy and information security professionals
- What keeps your CEO up at night? And why it’s the key to effective risk management
- Risk assessments as a team: “It’s incredibly important to have a common language”
Where Risk Management Fits in the Bigger Picture
Risk management typically includes four steps:
- Identifying risks
- Assessing risks – learn more in our full risk management guide https://www.wiredrelations.com/blog/guide-to-effective-risk-management
- Responding to risks (like the strategies above)
- Monitoring risks over time
Risks don’t vanish by themselves – but we can help
Get a clear overview of your risks – and manage documentation, follow-ups and accountability in one place. See how our platform can turn risk strategies into action.
