This paper examines the application of risk management strategies to the protection of customer information privacy at thecorporate level of analysis. The emerging discipline of privacy risk management is virtually non-existent in academicdiscourse despite an expressed and growing interest by regulators and practitioners. We show how the concept and practicesof operational risk management can be adapted to managing privacy risk using Generally Accepted Privacy Principles(GAPP) as an example. As well, we show how the risk response strategies, specifically avoidance, mitigation and transfer,are likewise useful. We conclude that there is congruence between risk management principles and privacy obligations andoffer a series of questions for further research.