identified risk and how to schedule risk mitigation activities.
            There are four primary ways to respond to risk - to accept the
            risk, to avoid the risk, to mitigate the risk, or to transfer the risk.



            Risk Acceptance

            The first step is to know the risk appetite of the senior
            management team. This will determine which risk can merely be
            acknowledged and accepted, and which risk must be mitigated
            or transferred. The level of risk acceptance is also dependent on
            regulations and compliance mandates that the organization must
            adhere to. When considering cost-benefit analysis, it can easily
            be understood that management is not interested in spending
            more money to address a risk than the asset itself is worth.
            Management is also reluctant to spend more on control than the
            benefit obtained by that control. Therefore, a certain amount of
            risk will be accepted as a cost or risk of doing business.

            The critical factor in accepting risk is the accuracy of the risk
            assessment level. An organization may accept a specific risk
            under the impression that the level of risk is much less than it
            actually is. This emphasizes the requirement for the risk assessor
            to be thorough, complete, accurate, and honest in their
            assessment. Note that only senior management has the authority
            to accept risk on behalf of the organization.



            Risk Mitigation (Reduction)
            When the level of risk is unacceptably high, then the
            organization may choose to implement some form of control to
            decrease the risk level. Each control should reduce the risk
            significantly while still preserving a favorable cost/benefit ratio.