Identify the overall approach for avoiding risks to the IT organization.  Example approaches include:

• Accept (as is)
• Mitigate/Reduce (accept and take some action on downside)
• Exploit (accept and take some action to capture upside)
• Transfer/Share (includes insure, contract, and such)
• Avoid (change business action to remove exposure to a risk)

Ensure that the overall approach is cost effective.  Determine levels of risk tolerance.