Convention has it that there are just four ways of "treating" risks:
- Mitigate the risk, typically by reducing the associated threat, vulnerability and/or impact.
- Avoid the risk by not doing something risky.
- Transfer the risk, for example by forcing business partners to enter into a binding contract that places huge costs and liabilities on them for security breaches while leaving you appearing squeaky clean (don't laugh: PCI DSS does this).
- Accept the risk. Shrug your shoulders and accept that the costs of mitigating, avoiding or transferring the risk outweigh the advantages (as you perceive them).
Well I'm not so sure that's a complete list. Here are some more possibilities:
- Explore the risk - which means doing things like analyzing or assessing the risk, researching the risk parameters and algorithms
- Ignore or deny the risk. This looks a little like risk acceptance at first glance but it revolves around either genuine or feigned ignorance. "It'll never happen to me" is one justification. "It hasn't happened so far" is another variant, "so it probably won't". "You don't know it will happen, since your risk analysis is full of holes and ridiculous assumptions" is only marginally better than "Trust me, it's not a problem."
- Exploit the risk, which is of course what hackers, fraudsters, scammers, industrial spies and other Bad Guys do (in the information security context), and how arbitrageurs, forex traders, bankers, corporate treasurers, insurers and other Good Guys do (in other contexts). Summed up by "Run with it, live dangerously and enjoy the rush' (a.k.a. the bunjee jumper's guide to risk management).
- Hype the risk, with its corrollary, downplay the risk, which is what politicians do all the time. "Folic acid in your bread will reduce the risk of neural tube defects" says one. "Folic acid in your bread will increase the risk of cancer" says another. "What's folic acid?" say most of the population, "Pass me the butter."
I'm sure there are still others ... comments welcome ...