For your general awareness as it is not something needed to be known in depth for the ITIL 4 exam, Dion Training covers the Risk Management practice briefly in this article. But we are sure you have read one of our articles which talks about this. To help you remember or just to give you an overview, it talks about the four things you can do with risk.
When discussing risk management, this practice is focused on ensuring that an organization understands and handles its risk effectively. There are four things you can do with risk. You can avoid risk, mitigate risk, transfer risk, or accept risk. When you avoid risk, you're going to change the situation so that risk doesn't exist anymore.
If your company has a computer that's running Windows XP, that's a highly risky event. You can avoid that risk completely by turning off that computer or upgrading it to Windows 10. Now you have that risk completely avoided, because you're no longer having the risk of having this old, outdated system probably causing system-wide errors or even become a gateway for security threats to propagate among throughout your network.
Mitigation on the other hand, is where you're going to put some things in place to help lower the amount of risk. For example, if you wanted to drive your car from here to the convenience store, you're going to drive it 60 miles an hour. You decide to drive it at 30 miles an hour. That lowers your risk because it gives you more time to react for example when a car in front of you suddenly stops or a kid suddenly crosses the street.
In risk transference, that's when you're going to transfer the risk to somebody else. In the example of your car, for sure you have an insurance policy on it. If you get into an accident, you do not assume the risk but instead, the insurance company does. They're going to pay for the damages, because you paid them a premium and that transferred the risk from you to them for that financial issue.
Finally, risk acceptance. If you have a risk that's small enough, you might just decide you're going to accept it. For example, there are risk every day that you deal with, and you just simply accept them. When you get in the car to drive to work, there's a risk you could get into an accident. Yes, you've transferred the financial risk to your insurance company, but if you get into an accident you're still going to get hurt. And that sure hurts. You cannot transfer that pain to the insurance company or any other person. Since you figured that the risk is small enough or has a very remote chance of ever happening, then you have accepted that risk, whether willingly or unwillingly, so that you can drive your car to work. That's the idea when you deal with risk management. It's identifying all the risks that are going to exist for your product and services, as well as your projects as you're deploying them. And then you try to either mitigate them, transfer them, avoid them, or accept them.