The process by which an organization introduces specific measures to minimize or eliminate unacceptable risks associated with its operations. Risk mitigation measures can be directed towards reducing the severity of risk consequences, reducing the probability of the risk materializing, or reducing the organizations exposure to the risk.
Types of Risk Mitigation
The Four Types of Risk Mitigation
There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. It’s important to develop a strategy that closely relates to and matches your company’s profile.
- Risk Acceptance: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
- Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
- Risk Limitation Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
- Risk Transference: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
Risk Mitigation Planning
Risk Mitigation Action Plans
Risk mitigation action plans should be incorporated in the project execution plan, or risk analyses are just so much wallpaper. Risk mitigation plans should:
- Characterize the root causes of risks that have been identified and quantified in earlier phases of the risk management process.
- Evaluate risk interactions and common causes.
- Identify alternative mitigation strategies, methods, and tools for each major risk.
- Assess and prioritize mitigation alternatives.
- Select and commit the resources required for specific risk mitigation alternatives.
- Communicate planning results to all project participants for implementation.
Although risk mitigation plans may be developed in detail and executed by contractors, the owner’s program and project management should develop standards for a consistent risk mitigation planning process. Owners should have independent, unbiased outside experts review the project’s risk mitigation plans before final approval. This should be done prior to completing the project design or allocating funds for construction. Risk mitigation planning should continue beyond the end of the project by capturing data and lessons learned that can benefit future projects.
Risk Mitigation Strategies
There are several risk mitigation strategies that can be used to assess risks, as demonstrated in the image below.
- Accept: Make a deliberate decision to accept the risk and not develop any further plans to control it.
- Monitor: Review the risk universe for any changes that may influence the impact of the risk.
- Avoid: Change the risk processes and requirements to eliminate or reduce the risk.
- Control: Develop further risk mitigation plans to minimize the impact and/or likelihood of the risk.
- Transfer: Reassign responsibility of the risk to another department or stakeholder in the organization for acceptance.
Risk Mitigation Approach
Managing Internal and External Risk
Risk mitigation strategies must match the degree of control within the enterprise. Where the enterprise has significant control, the strategy should call for prevention measures; where there is limited control, mitigation and resiliency are the keys to the reduction of risk.
source: JAS Global Advisors
Assessment of Risk
Framework for Risk Assessment
Risk Based Testing
Risk IT Framework
Risk Management Framework (RMF)
Risk Maturity Model (RMM)
Corporate Governance of Information Technology (IT Governance)
Key Risk Indicator (KRI)
Business Continuity Planning (BCP)
Disaster Recovery Planning
Enterprise Risk Management (ERM)
Risk-Adjusted Return on Capital (RAROC)
Own Risk and Solvency Assessment (ORSA)