Without risks to manage and threats to mitigate, life in business would be a lot easier. Internal risks, external risks and threats can disrupt or destroy the four critical elements that most enterprises need to operate: people, processes, technology and facilities. Each of the four elements can have vulnerabilities.
As part of an enterprise risk management program, risk mitigation strategies must not only identify risks and threats, such as organizational risks, but also stress the importance of identifying vulnerabilities that could open the door to risk events.
Risk mitigation planning
To address risks, threats and vulnerabilities, they must be identified, validated and analyzed to determine the likelihood of an occurrence and its effect on the enterprise's business processes, employees and financials. A priority list should be created to rank each risk according to the likelihood of occurrence and severity of the impact on the enterprise. A high-probability event, for example, that has little or no impact on the enterprise, such as an employee calling in sick for one day, will be treated differently than a low-probability, high-impact event like an earthquake.
Common risk mitigation strategies
Once a priority list has been established, design a strategy and plan the subsequent actions necessary to mitigate the risk, threat or vulnerability. Following are the seven most widely used risk mitigation strategies with some modifications.
1. Accept and deal with the risk
The enterprise deems a risk sufficiently non-threatening to business operations and can effectively respond to a threat occurrence. Examples of risk acceptance include: accepting the risk to production schedule delays without damage to the business; accepting adjustments to budget expectations; and accepting the need for employees to continue working remotely.
2. Avoid the risk
The enterprise makes a conscious decision to avoid dealing with a specific risk and its outcome. Examples of risk avoidance include: identifying specific risks and suitable remedies or alternate processes to avoid potential negative outcomes; identifying all costs and unexpected costs for a project to avoid going over budget; and identifying qualified alternate members of a project team who can step in when necessary to avoid project delays.
3. Challenge the risk
When an identified risk emerges, the enterprise slows or terminates the event to an acceptable level before it progresses to the point where it can damage the business. Examples of risk challenge include: evacuating employees in advance of a severe storm to minimize any potential risk to life; launching emergency power systems when a power outage occurs to minimize disruption in operations; and identifying a cybersecurity anomaly and immediately isolating the malware before it can enter the company's internal computing environment.
4. Prioritize the risk
If more than one risk event occurs at the same time, such as a severe storm and loss of power, the organization establishes a priority list of actions to address the most critical risks first. Examples of risk prioritization include: activating backup procedures to protect systems and data due to an impending flood and its potential water damage to an office; and extinguishing a fire, shutting down power supplies and notifying the power company and fire department when a lightning strike causes a transformer to explode.
5. Control and manage the risk
Once risks are identified, assessed and prioritized, the enterprise deals with specific risk incidents, then documents and tests those actions to ensure that they're appropriate and in the proper sequence. Examples of risk control and management include: establishing policies, such as physical security and data protection; developing business continuity and technology disaster recovery plans; and devising methods to track the time and costs spent on projects to ensure that delivery schedules are maintained and cost overruns are prevented.
Risk management for career professionals
6. Transfer the risk
Difficulties associated with a specific risk are transferred to another party, often insurance companies for coverage like cybersecurity liability insurance. Examples of risk transfer include: buying business interruption insurance to handle unplanned expenses in the aftermath of a cyber attack; reducing the likelihood of project mishaps by contracting a project management company to handle oversight of a particularly difficult project; and engaging the company's finance department to prevent project cost overruns.
7. Document and monitor the risk
All aspects of enterprise risk management, such as risk profiles, risk factors and inherent risk, are carefully documented at every stage of the process. Likewise, all risk-related activities are monitored to ensure that any issues are quickly identified and addressed. Examples of risk documentation and monitoring include: monitoring costs to prevent unplanned expenses that could send a project over budget; monitoring operational activities to prevent compliance issues; and using intrusion detection systems and firewalls to monitor incoming and outgoing data traffic to identify suspicious data packets that could signal a cyber attack.
Risk mitigation strategies are an important part of an overall enterprise risk management program and its associated risk mitigation planning activities. With multiple strategies available, risk managers have plenty of tools to deal with business risks, threats and vulnerabilities in the enterprise. While different strategies may be used for various risks, definitive mitigation strategies should be in place and ready to use.