The fishermen know that the sea is dangerous and the storm terrible, but they have never found these dangers sufficient reason for remaining ashore. 
~ Vincent van Gogh

Risk is celebrated as the audacious basis for business growth. The idea of “controlling risk” sounds conservative and careful. Something a control freak might do.

Controlling risk isn’t as bad as it sounds. Risks aren’t necessarily eliminated or minimized. Risk management aims to accept risks that make sense and reduce risks where possible.

The process of controlling risk begins with identifying a list of risks and assessing the probability and impact of each risk. Controls are identified and implemented for each risk.

There are 4 types of risk control:

1. Accept Risk

The stakeholders who are responsible for a risk can choose to accept a risk. For example, the risk that a project may fail may be accepted if the project is of strategic importance.

Risk management may include an approval process for risk acceptance.

2. Mitigate Risk

Actions are taken to reduce risk to an acceptable level. For example, the organization assigns a top performing project management team to a project to reduce the risk that it will fail.

The risk that remains after mitigation is known as residual risk. Residual risks are also controlled (accepted, mitigated, eliminated or transfered).

Secondary Risks

When you mitigate risks it’s important to consider secondary risks. Secondary risks are the risks that are caused by your risk mitigation efforts. If you reduce a security risk by applying an update to software — there’s a risk that the update itself contains security vulnerabilities. In some cases, mitigation activities are higher risk than the risk they reduce.

3. Eliminate Risk

A risk may be reduced to zero. Normally the only way to accomplish this is to cease the activity that generates the risk. For example, selling a risky investment will eliminate the risks associated with that investment.

4. Transfer Risk

A risk may be transfered to another organization or individual. For example, fire insurance transfers the risk of asset damage due to fire.

The Dark Side of Risk Transfer: Counterparty Risk

It’s important to consider counterparty risks when transferring a risk. A counterparty risk is the risk you get back when you transfer a risk. This often takes the form of the risk that a counterparty will fail to meet its legal obligations to you. For example,an insurance company may go bankrupt after a major flood and fail to meet its financial obligations.