Mitigation is when the organisation takes steps to actively manage the risk (do something about it). This can be in the form of actions, controls or plans put in place to take action in the event of the risk actually taking place (known as fall-back or contingency plans). Mitigation may be put in place to retain a risk at its current level of assessment, especially if the organisation is satisfied that the risk is currently at an acceptable level, or alternatively actions may be implemented to reduce the level of risk to a level that the organisation finds acceptable. Mitigations are things that change the impact and/or probability of a risk.
Risk assessment (covered in Session 4) will determine the priority for treatment, with higher-impact and higher-probability risks being prioritised for treatment. The organisation may decide to classify its risks in order to draw attention to the highest-priority risks and consider how risk information is disseminated throughout the organisation using risk escalation.
Risk mitigations will usually be collectively referred to as a risk treatment plan. Consider in more detail the two most common types of risk mitigations:
You have now looked individually at how ‘actions’ and ‘controls’ treat, or mitigate, risk. However, this is not the complete picture. To effectively mitigate risk, both ‘actions’ and ‘controls’ must be used together systematically to achieve the best outcome for an organisation.
Here is an example from risk management that uses risks and controls: UK National Risk Register [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] .