Transfer is a specific type of mitigation (see Section 3.4) whereby the organisation transfers the entirety or an element of the risk, usually through a financial instrument, to provide some level of protection to the organisation.
There are several common forms of risk transfer, the most common of which are:
- contractual terms and conditions.
In the first two instances the costs of a significant (but usually low probability) risk are taken by a third party, usually in return for a fee.
In the case of contractual terms the organisation may, knowingly or unknowingly, pay a higher price for the goods or services because of the level of risk assumed. In each of the three cases outlined above, the transfer of risk is normally done by experts, and as such this will not be covered further.
There are, however, some considerations to be aware of when practising risk transfer. In the case of insurance, while it can mitigate financial risks it cannot, in most instances, mitigate reputational risks; moreover, payment of insurance may be delayed, not paid in full (if the organisation is partly at fault) or, in extreme circumstances, the insurance company many not have the resources to fulfil its obligations.
The same risks are true of contractual terms and outsourcing. Passing on all liabilities to suppliers may give the illusion that risk has been fully transferred, but if the supplier is unable to honour their financial liabilities in full it may file for bankruptcy, and the impact would then fall back on the original organisation. Furthermore, assuming that risks relating to poor quality or poor HR practices can be transferred to suppliers can be difficult to manage in practice and require a high degree of oversight.