Let’s discuss different risk responses. When a company identifies its risks, it needs to develop a response strategy. 

There are four primary options for responding to risks:

1. Risk Acceptance 

2. Risk Avoidance 

3. Risk Sharing 

4. Risk Reduction

First, a company can accept the risk, meaning it chooses not to take any actions to decrease the risk level. For instance, let’s say a US company that sells a unique type of makeup decides to expand its operations to the UK. Once the US makeup company establishes operations in the UK, it identifies a significant risk – a competing company selling the same type of makeup. If the US company simply accepts this risk, it will not take any action to mitigate it.

Secondly, a company could opt to avoid the risk. Here, the company eliminates the business section facing the risk. In our example, to avoid the risk, the US makeup company could decide to shut down its operations in the UK entirely.

Thirdly, a company can elect to reduce the risk. This strategy involves taking specific measures to lower the risk. For example, the US makeup company could continue its operations in the UK but expand its product lines to mitigate the risk. This way, even if the competing company gains traction, the US company can maintain its market share.

Lastly, a company can decide to share the risk. This method involves entering an agreement with another party to reduce the risk. For instance, the US company could choose to partner with another makeup company in the UK, allowing both companies to collaboratively lower their risk.

When discussing risks, it’s crucial to distinguish between absolute assurance and reasonable assurance. Absolute assurance implies the company is 100% confident that it has adequately managed all of its risks. However, achieving absolute assurance is simply not feasible. Even with an ideal ERM system, a company remains exposed to risks.

Instead, an organization’s objective should be to attain reasonable assurance. This means it feels sufficiently confident that the ERM system will help reduce risks to an acceptable level. Reasonable assurance can be achieved, while absolute assurance cannot.