3.2 Mitigation actions
The more important each action is (i.e. the bigger the level of risk reduction it achieves) the more important it is to have assurance. Assurance of actions should look at:
- the effectiveness of the action in delivering the promised risk level
- the ability of the organisation to fund and deliver the action
- the timeliness of the action in respect to the risk (i.e. there is no value delivering an action after the risk is likely to have impacted)
- the level of risk reduction achieved for the amount spent on delivering the action (i.e. if the action costs more than the impact of the risk then it is unlikely to be a suitable course of action).