# The Four T's of Risk Management Risk management is an absolutely huge component of what [[ISO 27001]] is looking to achieve in provisioning an ISMS. Vocabulary and understanding of risk is therefore vital to fully comprehending the use of the standard and what a good risk assessment and treatment plan may look like. Once you've identified a risk and quantified it's potential impact against you, it's time to decide what you're going to do about it. To this end there are four generally agreed options: **Terminate**: Also known as risk avoidance, termination of a risk is the elimination of it by discontinuing the activity or process that allow this risk to emerge as a possibility. **Treat**: Attempting to reduce the risk to an acceptable level by putting controls in place that alter either the likelihood or impact of the risk eventuating. This is the main effort taken by the risk treatment plan, wherein controls are selected to temper and alter the components of a risk to an acceptable level. **Transfer**: Also known as 'sharing' the risk, this shifts the impact or likelihood costs to a third party. Examples of risk transfer include the use of insurance providers, outsourcing of processes, or simple contracts. For a small organisation, this could be the outsourcing of security to a managed service provider, or indeed the purchasing of cyber insurance. **Tolerate**: A diplomatic word for 'do nothing', toleration is accepting the risk. This may be because the cost of mitigation far exceeds the impact of the risk, or indeed because this risk is an unavoidable part of the industry that the organisation finds themselves in.