Risk control is the process by which an organization reduces the likelihood of a risk event occurring or

mitigates the effects that risk should it occur. Our preferred way to determine your risk control

strategy is to use the four T’s Process:

Transferring Risk can be achieved through the use of various forms of insurance, or the payment to

third parties who are prepared to take the risk on behalf of the organization

Tolerating Risk is where no action is taken to mitigate or reduce a risk. This may be because the cost

of instituting risk reduction or mitigation activity is not cost-effective or the risks of impact are at so

low that they are deemed acceptable to the business (such as some trivial annoyance). Even when

these risks are tolerated they should be monitored because future changes may make it no longer

tolerable.

Treating Risk is a method of controlling risk through actions that reduce the likelihood of the risk

occurring or minimize its impact prior to its occurrence. Also, there are contingent measures that can

be developed to reduce the impact of an event once it has occurred.

Terminating Risk is the simplest and most often ignored method of dealing with risk. It is the ap-

proach that should be most favored where possible and simply involves risk elimination. This can be

done by altering an inherently risky process or practice to remove the risk. The same can be used

when reviewing practices and processes in all areas of the business.

If an item presents a risk and can be changed or removed without it materially affecting the busi-

ness, then removing the risk should be the first option considered; rather than attempting the treat,

tolerate or transfer it.

Reference: CIPS study guide page 144-145

LO 3, AC 3.3