By transferring risk firms remove their own responsibility for dealing with risk events to someone outside of the organisation.

The most typical examples are taking out insurance and outsourcing.

Insurance

The most widely used form of risk transfer is to take out insurance which protects valuable assets such as premises or office equipment. By doing this, burden is handed over to insurance companies whom will pay out where unforseen events arise and cause damage or loss. For example a firm identifies its risk as office equipment being damaged from a natural disaster i.e. flood. The financial costs to flood-proof the office or premises would not be worthwhile given the likelihood of the event, but there is still a chance that by some freak act of nature that a flood could occur and destroy hundreds of thousands of pounds of equipment. As a result, this particular risk would be transferred to insurance companies.

Outsourcing

This involves hiring another company (usually more specialised) to control and accept your risks. One common misconception is that outsourcing risk will completely remove it. This is incorrect, it simple hands it to another company removing the burden of the risk, not the risk itself. Consider a company analysing their IT risks. Instead of the firm having to control all of their IT risks themselves, they could hire a company to control the complete IT server and security. Therefore, the firm in question is no longer responsible for implementing mitigation methods for their IT risks, but the overall burden has been handed over to another, more reliable corporation, but risks from IT will still remain (but hopefully at a level lower than they were previously).

By passing responsibility to another firm, the risk is no longer a major issue and time can be spent on resolving other risk management issues that may not be able to be transferred.