Stop or change the activity so the risk disappears entirely.
Example: Stop storing sensitive data locally. Move to a managed, secure service instead.
🛡️
Reduce
Lower likelihood or impact
Implement or improve controls to lower the likelihood, the impact, or both.
Example: Enable MFA. Apply outstanding patches. Encrypt data at rest and in transit.
🤝
Transfer
Share the exposure
Move part of the financial or operational exposure to a third party.
Example: Take out cyber insurance. Use a cloud provider with contractual SLA guarantees.
✅
Accept
Formal sign-off required
Formally acknowledge the risk and decide to live with it. Requires documented sign-off from a named risk owner.
Example: A low-scoring risk below your threshold — accepted with a named owner on record.