Which negative risk response usually has a contractual agreement?

B.

Transference is the risk response that transfers the risk to a third party, usually for a fee.

Insurance and subcontracting of dangerous works are two common examples of transference with a contractual obligation.

Incorrect Answers: A: Sharing is a positive risk response.

Note that sharing may also have contractual obligations, sometimes called teaming agreements.

C: Mitigation is a negative risk response used to lower the probability and/or impact of a risk event.

D: Exploiting is a positive risk response and not a negative response and doesn't have contractual obligations.

The correct answer is B. Transference.

Risk transference is the transfer of risk to a third party. The most common form of risk transference is through a contractual agreement. For example, an organization can transfer the risk of a cyberattack to an insurance company through a cyber insurance policy.

Risk sharing is a negative risk response where an organization shares the risk with another party, such as a partner or supplier. For example, a company may share the risk of a project with a vendor.

Risk mitigation is a risk response where an organization takes steps to reduce the likelihood or impact of a risk. This can include implementing controls, procedures, and policies to address the risk.

Risk exploitation is a risk response where an organization takes advantage of a risk for a potential gain. This is not typically considered a negative risk response.

In conclusion, the negative risk response that usually involves a contractual agreement is risk transference, which involves transferring the risk to a third party through a contractual agreement.