Retain/accept the risk - if, after controls are put in place, the remaining risk is deemed acceptable, the risk can be retained. However, plans should be put in place to manage/fund the consequences of the risk should it occur.
Reduce the Likelihood of the risk occurring - e.g. by preventative maintenance, audit & compliance programs, supervision, contract conditions, policies and procedures, testing, investment, training of staff, technical controls and quality assurance programs, etc.
Reduce the Consequences of the risk occurring - through contingency planning, contract conditions, disaster recovery & business continuity plans, off-site back-up, public relations, emergency procedures, staff training, etc.
Transfer the risk - this involves another party bearing or sharing some part of the risk through contractual terms,
insurance, outsourcing, joint ventures, etc.
Avoid the risk - decide not to proceed with the activity likely to generate the risk, where this is practicable.