The process of deciding on how to approach and deal with identified risks. The four primary responses to risk are acceptance (tolerating the risk), avoidance (changing plans to evade the risk), mitigation (reducing the impact or likelihood of the risk), and transfer (shifting the risk to a third party). The chosen response will depend on the organization’s risk tolerance, the potential impact of the risk, and the cost of the response.