My answer is based on Risk Management in a general business context, rather than just in the insurance industry, and when i refer to "insurer," I am referring to a company that takes on transactional risks in a wide spectrum of business. My examples will come from the financial guarantor sector in which financial guarantors guaranty the performance of asset-backed transactions--that is, if a transaction fails to pay its investors their principal and interest payment each month, the financial guarantor makes the payment to investors.
First, risk managers, even though they would like to avoid risk entirely, are in the business of risk mitigation. Complete avoidance of risk is a theoretical possibility, but not an achievable goal. The only way to avoid risk entirely is not to accept any risk. Mitigation, then, is the key. The first step in risk mitigation is to perform what is called due diligence on the assets that support the transaction. For example, when a financial guarantor decides to guaranty a mortgage-backed security, which may have 20,000 individual real estate loans supporting the performance of the security, the risk management team learns everything it can about the quality of the underlying loans to determine whether the loans have all the qualities they are supposed to have. If, after the due diligence process, risk managers discover that a percentage of the underlying loans are defective in some respect, the risk managers recommend that the price of the guarantor's insurance reflect a higher than expected risk.
Second, after a risk management team completes the due diligence process, it is quite common for the financial guarantor to spread or transfer some of the risk to other financial guarantors. The primary guarantor might keep 50% of the transactional risk, but "off-loads" another 50% to five companies that each take 10% of the remaining risk. Of course, these five additional co-lenders or co-insurers get their share of the transaction's profits as compensation for their risk-taking. In some cases, a financial guarantor will re-insure an entire transaction to one or more companies, and the re-insurers, if they have to make payment, will take a substantial percentage of the profits.
Third, because we have been in a very volatile economic environment for the last ten years, risk managers have learned to their loss that risk mitigation requires a multi-faceted approach. Spreading and transfer of risk is now virtually a necessity, and due diligence has become an industry unto itself. Before the financial meltdown of 2008, many risk-taking companies performed their own due diligence, and although this still occurs, most companies also hire due diligence companies who specialize in evaluating certain types of assets.
All risk-taking companies have very sophisticated financial programs that tell them what a transaction's underlying risks should be in a particular economic environment, but if the environment becomes significantly worse, as it did in the mid-2000's, the financial models are often wrong. In the end, however, risk-taking companies understand that they cannot avoid risks, no matter what mitigation steps they might take. The fact is, risk-taking companies are in the business of taking risk, and they accept that risk but hope that their profits from a transaction compensate them adequately for the losses incurred by unforeseen risks.