Leaders LoopEvery leader already does risk transfer; most just call it "the insurance renewal" and sign it without thinking. The deeper idea is simple and worth getting right: for a premium you pay now, another party agrees to absorb a loss you might face later. You swap a rare, large, unpredictable cost for a small, certain, budgetable one. That trade is powerful, and it quietly tempts people to believe a transferred risk is a solved one. It isn't.
The quick version
- Risk transfer moves the financial consequence of a risk to another party, usually through insurance or a contract clause, in exchange for a premium or fee.
- It is one of four standard responses to a risk: tolerate it, treat (reduce) it, transfer it, or terminate (avoid) it. Transfer suits risks that are high-impact but low-likelihood, too costly to absorb, too rare to engineer away.
- Transfer shifts the cost, not the accountability. After a data breach the insurer pays the bill, but the customer trust, the regulator and the headline are still yours.
- Insurance works only because of pooling and information. When the insured know more than the insurer, or behave worse once covered, the market wobbles, which is why premiums, exclusions and excesses exist.
The idea in depth: transfer is one option, not the option
Risk transfer makes sense only once you see it as one move on a short menu. The most widely taught version is the "four T's", tolerate, treat, transfer, terminate, a practitioner shorthand for matching your response to where a risk sits on a likelihood-and-impact grid (a clear walkthrough is PXP's explainer on the 4Ts). You tolerate small, tolerable risks; treat the likely ones by reducing them; terminate the ones that are both likely and severe by not doing the activity at all; and you transfer the risks that are rare but ruinous, the warehouse fire, the liability suit, the key-person death, because you could never engineer them to zero and could never comfortably pay for them yourself.
Place each material risk on that grid before you reach for a policy. Transfer is the right answer for low odds and high stakes, and the wrong one for a risk you should simply have fixed. Insure a problem you could cheaply prevent and you pay twice: once in premium, once in the loss the insurer reflects back at renewal.
flowchart TD
A(["A material risk"]) --> B{"Likelihood × impact?"}
B -->|"Low / low"| C(["Tolerate
accept and monitor"])
B -->|"High / low"| D(["Treat
reduce likelihood or impact"])
B -->|"Low / high"| E(["Transfer
insure or contract it out"])
B -->|"High / high"| F(["Terminate
stop the activity"])
The formal frameworks agree, with one important refinement. ISO 31000:2018, the international risk-management standard, lists "sharing the risk" as a treatment option (Clause 6.5) and pointedly prefers sharing to transfer. COSO's 2017 enterprise-risk-management framework similarly names "share" among its responses (alongside accept, avoid, reduce and pursue); Gallagher's side-by-side of COSO and ISO 31000 is a useful orientation to how the two frameworks differ. The word choice matters: you can hand over the money, but you keep the consequence. A manufacturer with product-liability cover still owns the recall, the brand damage and the regulator's attention. The standards are telling you, in their dry way, not to mistake a paid invoice for a solved problem.
You can transfer the bill. You cannot transfer the blame.
Why insurance works, and where it strains
Insurance is risk transfer's main vehicle, and it rests on one elegant idea: pooling. No insurer can predict whether your building burns down, but across thousands of buildings the rate of fires is remarkably stable. By collecting many small premiums, the insurer turns individually unpredictable losses into a collectively predictable one, and takes a margin for carrying the variance. Peter Bernstein's history of risk, Against the Gods (1996), traces how this leap, from treating misfortune as fate to pricing it as probability, made modern insurance, and modern finance, possible.
Which tells you what to insure: what is genuinely poolable and genuinely large, and to stop trying to insure away ordinary running costs. A risk that is near-certain isn't insurable at a sane price; the premium just equals the loss plus the insurer's margin. Save the mechanism for the tail.
Where the model strains is information. The two classic failure modes were named by economists studying exactly this market. Adverse selection, the problem George Akerlof set out in his Nobel-recognised 1970 paper "The Market for 'Lemons'", is hidden information before the contract: the people most eager to buy cover are often the worst risks, which drags the pool's quality down and prices up. Moral hazard, analysed in Kenneth Arrow's work on the economics of medical insurance, is hidden action after the contract: once covered, people take less care. Both are real, and both explain the apparatus every leader meets at renewal, the medical questionnaire, the security warranties, the excess you pay on every claim, the long list of exclusions. They are not the insurer being difficult; they are the insurer keeping the pool honest.
An honest limitation. Risk transfer is bounded in ways a policy schedule won't advertise. It only ever addresses the financial slice of a loss, never the operational disruption, the reputational hit, or the regulatory fallout, which is why transfer should sit alongside prevention, not replace it. Cover can also fail you precisely when you lean on it: disputed claims, exclusions you didn't read, an excess larger than the loss, or an insurer's own solvency in a systemic event. And the standards' caution bears repeating, even a flawless payout leaves the accountability with you. Treat insurance as a financial backstop for the tail, not as a substitute for managing the risk.
A worked example
Take a mid-sized online retailer, call it Larkfield, turning over a modest amount and holding a database of customer cards and addresses. (Illustrative figures throughout; this is a teaching example, not a real company.) The board lists "customer data breach" on the risk register and asks the obvious question: should we buy cyber insurance?
Run it through the grid first. Likelihood: moderate and rising. Impact: potentially severe, regulatory penalties, notification costs, lost sales, legal fees. That is not a single-quadrant answer, and treating it as one is the common mistake. The breach has a high-impact tail that belongs in transfer, and a reducible everyday likelihood that belongs in treat. So Larkfield does both. It treats the risk first, multi-factor authentication, patched systems, staff phishing training, less customer data retained, because a cheaper premium and fewer claims both follow from it, and because the insurer will ask about exactly these controls anyway. Then it transfers the residual tail: a cyber policy with, say, an illustrative £10,000 excess covering breach-response, notification and third-party liability.
flowchart LR A(["Customer data
breach risk"]) --> B(["TREAT first
MFA, patching,
training, less data"]) B --> C(["Residual tail
remains: rare,
but ruinous"]) C --> D(["TRANSFER it
cyber policy,
£10k excess (illustrative)"]) D --> E(["Still owned by Larkfield:
trust, regulator, headline"])
A year later a breach happens anyway. The policy pays the forensic and legal bills, and the board is glad it bought cover. But notice what insurance did not do: it did not restore customer confidence, answer the regulator, or write the apology. Those landed on Larkfield's leaders, exactly as the standards warned. The order of operations is the lesson, treat to shrink the risk, transfer the tail you can't shrink, and keep owning everything money can't buy back.
Frequently asked questions
What is the difference between risk transfer and risk sharing?
In everyday use they overlap, but the frameworks draw a deliberate line. "Transfer" suggests the risk has fully left you; "sharing", the term ISO 31000 prefers, acknowledges that you keep some of it, especially the accountability and any consequence money can't cover. Buying insurance, signing an indemnity clause and using a captive are all forms of sharing the financial load, never a clean hand-off of the whole problem.
Can you transfer a risk with something other than insurance?
Yes. Contracts are the other big lever: indemnity and hold-harmless clauses, liability caps, warranties and outsourcing all move financial exposure between parties. Hedging shifts market risk through financial instruments. Larger organisations sometimes form a captive, their own in-house insurer, to blend retention and transfer; the IRMI's primer on captive insurance is a solid starting point. The choice is a financing decision, not just a procurement one.
Why do insurers add so many exclusions and excesses?
To manage the two information problems that threaten every pool: adverse selection (the worst risks are keenest to buy) and moral hazard (people take less care once covered). An excess keeps you with skin in the game so you still prevent losses; exclusions and warranties stop the pool absorbing risks it never priced. They are the mechanism that keeps insurance affordable for the careful majority.
When does it not make sense to insure a risk?
When the loss is small enough to absorb, frequent enough that the premium just equals the expected loss plus margin, or cheap enough to prevent that you'd be paying twice. Insurance earns its keep on the rare, severe, hard-to-prevent tail, not on predictable running costs, which are better budgeted, retained, or engineered away.
If we're insured, can we relax on prevention?
No, and assuming otherwise is the moral-hazard trap the economics predicts. Cover replaces money, not the operational disruption, reputational damage or regulatory scrutiny of an incident, and lapsed prevention shows up as higher premiums, denied claims and a worse loss when one lands. Prevention and transfer are partners; insurance is the backstop behind the controls, not a replacement for them.
Related in the Toolkit
Transfer is only ever one answer on the menu, so it sits inside the wider disciplines of setting how much risk you'll carry (enterprise risk management & risk appetite) and of plotting each risk before you respond (risk identification & assessment).
- Enterprise risk management & risk appetite, your appetite sets how much risk you retain before you ever transfer the rest.
- Risk identification & assessment (likelihood x impact), the grid that tells you whether a risk belongs in transfer at all.
- Risk registers & mitigation strategies, where the transfer decision is recorded, owned and reviewed.
- Operational, financial, strategic & reputational risk, insurance covers the financial slice; the other three stay with you.
- Quantitative risk & scenario / stress testing, how you size the tail you're deciding whether to insure.
- Board roles, committees & responsibilities, who signs off the insurance programme and owns the residual risk.
- Employment law basics, much of what employers' liability and similar cover responds to is grounded in legal duty.
- Crisis management, what you still have to run when a claim pays out but the incident is far from over.
Where to go next
- Against the Gods: The Remarkable Story of Risk, Peter L. Bernstein (1996), the definitive popular history of how humanity learned to price risk; essential context for why insurance exists at all.
- "The Market for 'Lemons'", George Akerlof (1970), the Nobel-recognised paper behind adverse selection; the clearest explanation of why insurance markets need so much information.
- "COSO and ISO 31000 Risk Management Plans", Gallagher, a practitioner's side-by-side of the two frameworks, and where they overlap and diverge.
- "What's the difference between risk sharing and risk transfer?", Learn About Economics (YouTube), a short, clear video pinning down the distinction the frameworks insist on.