In some cases, the eliminated asset is replaced with an alternative asset with a lower level of risk. • Risk sharing distributes some of the risk to another party (ISO/IEC, 2008). Typical arrangements include insurance, outsourcing or procurement. Risk sharing can include risk financing, which arranges funds to cover financial losses if they occur; and risk retention (typically residual risk after risk has been transferred) (ISO/IEC, 2008). For example, a customer is still responsible for a deductible after sharing a risk by purchasing an insurance policy. • Risk mitigation involves taking actions to reduce the likelihood or consequences of risk (ISO/IEC, 2008), reducing the overall impact of the risk. The above strategies address known risks that are at least partially within the firm's control. In some cases, the company may have no control over the source of the risk; and can only respond once the event has occurred. Uncontrollable risks require the development of contingency plans, specifying how the company will react if the risk occurs (Kendrick, 2009). For example, a contingency plan may specify a succession plan if a key executive