As part of formulating a strategy, management should define initiatives that will appropriately address all identified risks, focusing on those that have the highest priority.  Management should analyze existing and candidate initiatives and ensure that the most appropriate initiatives are implemented.

The most appropriate response may not always be the most cost-effective, as selection may be based on other factors such as legal requirements, adherence to entity values, internal and external stakeholder demands, and potential for positive or negative effects on reputation.

There are several options that management may consider to address risks including:
> acceptance
> avoidance
> reduction
> sharing

Acceptance means the entity takes no action to affect the likelihood or impact of the risk. Generally, compliance risks should be avoided, reduced or shared. Accepting a risk that involves deliberate violation of law is inappropriate.

Avoidance means the entity will not engage in activities that introduce risk. Avoidance is typically used when the costs of implementing a different response outweigh any potential benefit. For example, if an entity believes its capability to address foreign sales risks is limited, it may choose to sell its international sales and marketing units. It is difficult to completely avoid risks. Reputation risks, for example, may still be present during and after the avoidance response.

Reduction reduces the likelihood or impact of the risk without absolute avoidance. Reduction responses typically include the implementation of preventative and detective controls.

Sharing reduces the likelihood or impact by transferring or otherwise sharing a portion of the risk. Common sharing responses include purchasing insurance products or establishing a joint venture. When an entity's internal capability is unable to effectively address risks, management may consider using risk management products such as insurance and insurance-like products/techniques (reserves, captives, pooling techniques, etc.).