Risk Mitigation

The process by which an organization introduces specific measures to minimize or eliminate unacceptable risks associated with its operations. Risk mitigation measures can be directed towards reducing the severity of risk consequences, reducing the probability of the risk materializing, or reducing the organizations exposure to the risk.[1]

Types of Risk Mitigation

The Four Types of Risk Mitigation[2]
There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. It’s important to develop a strategy that closely relates to and matches your company’s profile.

  • Risk Acceptance: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
  • Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.
  • Risk Limitation Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
  • Risk Transference: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

Risk Mitigation Planning

Risk Mitigation Action Plans[3]
Risk mitigation action plans should be incorporated in the project execution plan, or risk analyses are just so much wallpaper. Risk mitigation plans should:

  • Characterize the root causes of risks that have been identified and quantified in earlier phases of the risk management process.
  • Evaluate risk interactions and common causes.
  • Identify alternative mitigation strategies, methods, and tools for each major risk.
  • Assess and prioritize mitigation alternatives.
  • Select and commit the resources required for specific risk mitigation alternatives.
  • Communicate planning results to all project participants for implementation.

Although risk mitigation plans may be developed in detail and executed by contractors, the owner’s program and project management should develop standards for a consistent risk mitigation planning process. Owners should have independent, unbiased outside experts review the project’s risk mitigation plans before final approval. This should be done prior to completing the project design or allocating funds for construction. Risk mitigation planning should continue beyond the end of the project by capturing data and lessons learned that can benefit future projects.

Risk Mitigation Strategies

There are several risk mitigation strategies that can be used to assess risks, as demonstrated in the image below.

Risk Mitigation Strategies
source: Workiva

  • Accept: Make a deliberate decision to accept the risk and not develop any further plans to control it.
  • Monitor: Review the risk universe for any changes that may influence the impact of the risk.
  • Avoid: Change the risk processes and requirements to eliminate or reduce the risk.
  • Control: Develop further risk mitigation plans to minimize the impact and/or likelihood of the risk.
  • Transfer: Reassign responsibility of the risk to another department or stakeholder in the organization for acceptance.

Risk Mitigation Approach

Managing Internal and External Risk[4]
Risk mitigation strategies must match the degree of control within the enterprise. Where the enterprise has significant control, the strategy should call for prevention measures; where there is limited control, mitigation and resiliency are the keys to the reduction of risk.

Risk Mitigation Approach
source: JAS Global Advisors

See Also

Assessment of Risk Framework for Risk Assessment Risk Based Testing
Risk IT Framework
Risk Management
Risk Management Framework (RMF)
Risk Matrix
Risk Maturity
Risk Maturity Model (RMM)
Corporate Governance of Information Technology (IT Governance)
Key Risk Indicator (KRI)
Business Continuity
Business Continuity Planning (BCP)
Disaster Recovery Planning
Enterprise Risk Management (ERM)
Crisis Management
Risk Analysis
Risk-Adjusted Return on Capital (RAROC)
Risk-Adjusted Return
Own Risk and Solvency Assessment (ORSA)


  1. Definition - What is Risk Mitigation? InvestorWords
  2. What are the The Four Types of Risk Mitigation? MHA-IT
  3. Risk Mitigation Planning
  4. Managing Internal and Extrnal Risk through Rik Mitigation JAS

Further Reading

  • Risk Mitigation Planning, Implementation, and Progress Monitoring Mitre
  • 7 Ways To Mitigate Risk on Projects StrategyEx
  • Risk Mitigation And Management Scheme Based On Risk Priority Basit Shahzad, Sara Afzal Safvi
  • Risk Mitigation, Monitoring and Management Plan MHHE