Tolerate, terminate, treat and transfer — we look at the 4Ts of risk management.

We assume that tomorrow will look much like today. But as we’ve seen with Covid-19, that may not be the case. Changes may be profound. This is where good risk management comes in.

Risk management creates and protects organisational value. As such, it should be a natural and inherent part of what every company does. Risk management is an integral part of decision-making because it explicitly addresses uncertainty.

Risk is something uncertain. It may happen. It may not. But either way, it’s important because it will have an impact on objectives. These could be positive, negative or neutral. There are always several options for managing risk.

A good way to summarise the different responses is with the 4Ts of risk management: tolerate, terminate, treat and transfer.



Sometimes it’s okay to do nothing. The likelihood and impact of the risk is low. You may decide to simply retain the risk because it is acceptable without further actions. Log and monitor the risk because retaining a risk should always be an informed decision. You should not find that your organisation has retained a risk by default.



Sometimes a risk is so far outside your risk appetite. Or is assessed as having such a severe impact on your business that you have stop (i.e. terminate) the activity causing it. For example, you may decide not to start or continue a business activity in a particular country. Or withdraw a product or service from market that gives rise to unacceptable risk.


You will almost certainly decide to take action on the most severe risks. You may act to reduce the likelihood of the risk occurring, or the severity of the consequences if it does. For example, install a firewall to reduce the likelihood of an external intrusion to your IT systems. And implement network segregation if an intruder does gain access.



Insurance isn’t available for everything. Sometimes while it’s possible to transfer the activity to a third party, you still retain the liability if things go wrong. In the case of the payment card industry data security standards (PCI DSS), a third party arrangement outsources merely the function, not the responsibility or liability for PCI compliance.


To find out more

We’ll be tackling principles for managing risk and what is effective risk management in subsequent blogs. However in the meantime, for a free 30-minute consultation on your data security needs, e-mail or complete your details on the contact form below.