THE ULTIMATE GOAL OF a risk management process is to control downside risk at the lowest cost possible, while keeping as much upside potential as possible. The term ‘risk response’ refers to how the firm chooses to balance risk and return once a risk exposure has been identified and assessed as part of the risk register. The executive team must craft a response to each of the major risks that have been identified in the register. But then there is also that elusive concept of the risk of the firm as a whole. As we will emphasize in this chapter, the risk response also needs to reflect the firm's desire to safeguard various corporate‐level objectives that are connected to the value creation process.

Risk response falls into three broad categories: risk mitigation, risk transfer, and risk retention.¹ Risk mitigation is any action taken by the firm to reduce the probability of a negative event, or its consequence should it happen, that does not involve outsourcing the risk to a third party. Risk transfer, in contrast, means writing a contract with another entity to effectively outsource the risk. To illustrate the difference, paying for a new surveillance system that deters theft is an example of risk mitigation, whereas paying for insurance that will compensate the firm if it suffers from theft is risk transfer. Risk retention means accepting and keeping an exposure and any losses that could result from it. The overarching goal is to bring the risk that ...