5 Risk Response Strategies You Will Have to Consider After Assessing Risks

We can’t control what people say to us – we can only control our response.

Risk and uncertainty are much the same I suppose…

The original version of the following article has been one of the most popular here at my blog..

Like other popular posts, such as this comparison of traditional risk management and ERM, it’s important to take a step back and re-examine this topic for two main reasons: changes in perspective since the article was first published and the blog‘s considerable growth has resulted in more resources to support the sections below.

The core theme of this piece from the beginning has really been about answering one basic question. You, your team, executives, and risk owners have done the work of identifying, assessing, and analyzing risks and opportunities, so the question that naturally comes up is – now what?

In some cases, reducing or avoiding risks is the best choice, especially if the alternative means breaking the law or someone getting hurt or killed. It’s a common misnomer that risk management is all about reducing harm or averting failure, but as we’ll get into more later, this isn’t always the case and can, in fact, lead to failure.

The first four response strategies below are very traditional in nature and, as Hans Læssøe discusses in his book Prepare to Dare on the different levels of risk management, well established.

A variety of factors internal to your organization will drive which of the following options management chooses. Risk appetite is one of several tools for helping you determine the right response strategy, but contrary to the original version of this article, it is by no means the only or always the best as this piece from Norman Marks explains.

Remember too that your risk response strategy can change over time as conditions warrant, which is why consistent monitoring of risks and the broader environment is so important.

(To learn more check out Risk Monitoring: 6 Considerations for Understanding this Make or Break Moment for ERM.)

Without further ado, below are 5 potential risk response strategies to consider for handling strategic, operational, legal, or other risks and opportunities.

Risk Response Strategy #1 – Avoid

As the name implies, quitting a particular action or opting to not start it at all is an option for responding to a risk. When you choose to avoid a risk, you are cutting off any possibility of it posing a threat to your enterprise. Like I discuss in the intro section above, executives and managers will choose this option for any risks that could get the company in major legal trouble or lead to someone getting killed.

A recent example of this is the shift to working from home to prevent employees from contracting COVID-19. Most organizations decided to avoid the risk of their employees getting sick. Other examples of this option can include halting the production of a particular product, selling a division of the company, or deciding against an expansion.

Now on the surface, this may seem like an attractive option, but it’s not always practical or advisable as we’ll explain in risk response strategy #5 below. However, if you’re absolutely certain there is zero tolerance for the risk in question, then the avoid option is the appropriate risk response.

To learn more, check out What to Do When Risks are Unavoidable.

Risk response strategy #2 – Reduce

What this means in ERM speak is to take steps to reduce the likelihood or impact of a loss. If the risk is just slightly above your appetite and tolerance level, then reduction is a reasonable strategy for bringing it down to within acceptable limits.

On a personal level, we all employ risk reduction in one way or another in our daily lives. When we get in our car to go somewhere, we put on a seatbelt to reduce the potential impact of an accident.

Notice though that this action does not reduce the chance of an accident occurring – if that is your goal, then you would need to just stay home.

In business, spending too much to reduce a risk can be a waste of time and resources…to illustrate, I’m going to go back to my first job as a cashier at a grocery store.

A big responsibility of a cashier is to make sure your drawer balances at the end of each shift. At my store, we were allowed some latitude, specifically an “over/under” of up to $3; meaning, if my drawer was missing $1.80, the store would just write it off. It was somewhat of a relief to know I had this cushion, but if it happened all of the time, the store would have reason to be suspicious.

Now, let’s say there was an over/under latitude of only 2 cents…

Would it make sense to pay someone their hourly rate to chase down 50 cents or a dollar or would it be more efficient to just accept that you lost a dollar?

As you should be able to see by this example, spending too much time on trivial matters can be wasteful, so keep that in mind when choosing this risk response.

To learn more, check out Risk Reduction – A Response Strategy for Decreasing the Impact of Potential Risk Events.

Risk response strategy #3 – Transfer

Unlike options 1 and 2, this option does not eliminate or reduce the chances of it occurring, but instead delegates or transfers responsibility of the risk to a third-party. Purchasing insurance for your home doesn’t reduce or eliminate damage from a storm, but it does provide a financial safety net in the event damages do occur.

Besides insurance, another common method for transferring risk is to include indemnification clauses in contractual arrangements, which are commonly found in construction and service job contracts, rental contracts, purchase order agreements, lease agreements, consulting agreements and more. The point of both these and insurance policies is to make you whole in the event a covered peril (or event) occurs.

One important point to remember with this option – it only kicks in post-event, and as we’ve discussed in many articles since the original article, intangible risks like reputation and talent cannot be transferred to a third-party.

Think of it this way: You can outsource a process, but you cannot outsource a risk.

In the end, when managing risks to the enterprise, the goal of risk transfer is to ultimately reduce the (mostly financial) impact should something materialize. The company is therefore willing to take a gamble on the risk occurring.

Risk response strategy #4 – Accept

There will likely be other risks outside your tolerance where one of the other response options will not be a good fit since the probability and/or the impact is so low that it does not make sense to expend resources to avoid, transfer, or reduce the risk.

In cases like this, you can simply accept the risk as-is and do nothing…yes, you read that right, you can do nothing! In other words, risk acceptance is a passive decision since it requires no action.

Other risks that can fall into this category include emerging risks, or ones that may pose some sort of threat in the distant future.

If you want to get technical, all risks except ones you completely avoid can fall into the accept category.

If you reduce a risk, you’re still accepting the part within your appetite. If you transfer the risk via insurance, you still accept part of the risk as it relates to your monthly premiums and deductible/retention. Only when a covered event exceeds this amount does your insurance take over to compensate you for the losses.

Therefore, unless you’re avoiding the risk altogether, you are using a combination of the reduce (mitigate), transfer, and/or accept risk response strategy by default.

To learn more, read One Tool for Informed and Responsible Risk Acceptance.

Risk response strategy #5 – Take risks

Here’s where things get more interesting. Up until now, we’ve really be looking at risks as a negative and different response strategies for helping your company avert failure.

But as we’ve discussed in other posts, especially over the last 1-2 years, companies who simply focus on minimizing losses are putting themselves at an extreme disadvantage over more agile competitors, risking (you guessed it!) failure.

It’s always been true, but it’s even more so today – in order to succeed, you have to take risks.

Let’s say you have a goal and have identified the risks to achieving it. However, some of these risks exceed your company’s pre-determined appetite. If you were strictly using risk appetite as your metric, the response may be to avoid the risk altogether, but if you do this, you will not accomplish the goal.

In this situation, decision-makers could decide to take on the risks – note that this is not the same as the “accept” strategy above because risk acceptance is passive in nature.

In this situation, you are actively facing the risk head on by making preparations. Having a game plan does not reduce the severity or likelihood of this event occurring, it simply makes the organization’s actions post-risk smoother and more integrated.

Take a commonly discussed risk these days, cyber.

Because of all the scary headlines out there, it is natural to reach the conclusion to reduce, transfer, and avoid this risk as much as possible. However, as Norman Marks discusses in his book Making Business Sense of Technology Risk, you have to balance these issues against your goals and objectives.

For example, your company may want to develop an app as part of a multi-year initiative to modernize services (Focused on opportunity!). You know there are risks of a data breach and so on, but executives decide to push forward anyway because, if you do not develop the app, the chances of being displaced by a competitor who is willing to take this risk is quite high.

Several tools are available, both qualitative and quantitative, for helping inform decision-makers on the level of risk they are taking and the likelihood of success. These can range from root cause and scenario analysis to Monte Carlo simulation, sophisticated modeling, and more.

This response represents a more advanced level of risk or uncertainty management that forward-thinking companies are embracing to build a competitive advantage, or as Hans Læssøe explains in his book Prepare to Dare:

All companies take risks in pursuit of their strategic aspirations. Deploying this enhanced level [of] risk management, the risk taking becomes intelligent and based on identified and validly assessed risks and opportunities – based on a balanced utilization of the risk tolerance.

The former Formula One and Indy 500 race driver Mario Andretti stated ‘If everything is under control, you are moving too slow.’ This is true in business as well, and having an advanced level risk management in place enables moving faster.

Besides creating a competitive advantage, risk professionals who pursue this level of uncertainty management will become increasingly valuable to the organization in the years to come as many basic risk management tasks are automated.

Regardless which risk response strategy you choose, monitoring will be a key part of ensuring you stay on track.

As we discuss in the intro, a risk response can change over time, which is even more true since this article was first written. Consistent, systematic risk monitoring is crucial for understanding which response strategies you should change and when.

How does your company choose its risk response strategies? Do you take a more traditional risk-averse approach or the opposite?

The original version of this article has generated a lot of discussion since it was first published. I hope you find this updated version helpful in understanding changes in risk management and how it can be used a tool for better decision-making. To share your perspective, please feel free to leave a comment below or join the conversation on LinkedIn.

And to discuss your company’s methods for understanding risks and determining the best response strategy, don’t hesitate to reach out to me to discuss your situation today!

Featured image courtesy of Stuart Seeger via Wikimedia Commons

, , , , , , , , , ,

Related Posts

20 Comments. Leave new

  • The article is mistaken Step two after identification is evaluating. The next step is developing alternatives to employ as risk treatment which may be all or part of all four responses The next step is implementation

    • Hi, Charlies. I appreciate you reading the article and commenting. The risk evaluation step was implicitly discussed as part of the comparison of the risk to the risk appetite to determine what response strategy would be best for the organization.

      Agree with you on the development of risk strategies, as stated in the article. You can use one or a combination of strategies to address a risk. Sometimes the hardest part of risk management is the actual implementation of the selected strategy/strategies.


  • Nice article thank you Carol. I cannot agree more that implementation is often where things fall down. In my view, a few too many risk identification and mitigation assessments are acknowledged and endorsed, but left to gather dust as implementation is seen as a burden.
    Nicely written and welcome – thanks.

    • Thanks, Stuart. Glad you enjoyed the article. In my view, the implementation of the bigger response strategies should be included in any project or portfolio planning that the company goes through in order to secure resources (people and money) and buy-in from executives.

  • You can also:

    Match the risk – 1:1
    Absorb the risk
    Leapfrog the risk
    Ignore the risk

    All have positive and negative consequences associated with them as do your 4 points.

    A good article that I enjoyed reading.

    • Thanks for your comment, Geary. Glad you enjoyed the article. Your thoughts on other responses are interesting. Can you provide an example of how an organization would “leapfrog” over a risk?

      • Leapfrogging a risk is getting ahead of the risk – a hedge against the future. In financial terms one might sell options, buy options, create a hedge, etc. In operational terms one might assess alternatives for materials used in a process, change supply chain configurations, find ways to become “antifragile” as Nassim Taleb would term it. Breakdown the risk into smaller less impactful elements.

        • Basically, it sounds like what you label as “leapfrogging” are different ways to reduce or avoid the risk. Right? In your examples, I see the use of financial options as reducing the financial impact of a risk; alternative materials as a way to reducing the risk; changing the supply chain reducing the dependency on vendors, etc.

          I agree that breaking down the risk into smaller elements makes it more manageable…and more palatable for management to tackle for determine the appropriate risk response, as long as you don’t lose the big picture with those smaller elements. Great input, Geary. Thanks!

          • It is more of a getting ahead of risk – sort of estimating the future risk profile. But, yes, it is a way of avoiding risk or actually anticipating the minimization of risk impact. I have written about this and posted on LinkedIn and Continuity Central websites. The ability to get ahead of risk materializing can actually alter risk exposure.

            You are also right to mention that not losing the big picture is critical. Changing the nature of the potential impact of risk is what I refer to as the ongoing process of risk morphing into a different state – you do something to buffer the risk and it changes the risk, requiring an alteration of the risk buffering tactic employed.

  • Thank you Carol for this good article although I dont have full agreement with some points but maybe that because of tailoring risk under different experience, but still there is a main point I would like to highlight that is (Risk Transfer) its could be listed as one of risk response strategies under the conventional RM but not the new thought of RM (ERM) this became the strategy of sharing risk.

    • Hi, Raida. Thanks for your comment. Risk transfer can be accomplished in several ways, one of which is sharing in the risk. But at the highest level, you (as a company) are still transferring some of the risk to another party. So I think it comes to do labels. And ERM abounds with different labels for the same things, which is one of the things that I believe has hindered the progress of ERM adoption around the globe.

  • […] Williams describes this approach in an older article on her website, 4 risk response strategies you will have to consider after assessing risks. (I thank her for referencing one of my books in it.) Perhaps Carol will share with us whether she […]

  • […] Williams describes this approach in an older article on her website, 4 risk response strategies you will have to consider after assessing risks. (I thank her for referencing one of my books in it.) Perhaps Carol will share with us whether she […]

  • Great Article,
    You can also use

    The so called 4t’s. Easy to remember as well.

  • You can also increase or engage the risk

    • Hi Jay – absolutely. This article was written when I first established this blog nearly 5 years ago and could probably use an update. No doubt that informed risk taking is a critical ingredient for success in our fast-changing world.

  • what the 4 A’s of the risk and uncertainty in projects stand for ? also the R’s of risk response I found just 4 and I heard someone says that there should be a fifth R to be included ! can you please help !

  • Outside development business systems center on growing an organization’s deals and portion of the overall industry through acquisitions, coalitions, or trading. The most well-known way is to seek after a procurement technique first, which can include purchasing one more organization or going into a joint endeavor. Assuming that falls flat, organizations frequently look for a union system by collaborating with one more organization to mutually offer an item or administration. Sending out is the last retreat for organizations that can’t develop locally.

  • Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.