What Is Risk Mitigation?
Risks can pose a threat to a project or a business. Risk mitigation is the process of eliminating or lessening the impact of those risks. Teams can use risk mitigation in several ways to help protect a business.
Project leaders might use project risk management and mitigation to ensure the success of a specific project. Business leaders might use business risk mitigation — sometimes as part of overall enterprise risk management or enterprise risk assessment — to protect the long-term health of a company.
Why Is Risk Mitigation Important?
Risk mitigation is important because risks sometimes turn into realities. If your project team or business leaders haven’t figured out ways to deal with and lessen those risks, they can have a hugely negative impact on a project or business.
“Business risk mitigation is important because it helps organizations to identify and address potential risks that could impact their operations, reputation, or bottom line,” says Andrew Lokenauth, a former finance executive with Goldman Sachs and JP Morgan, an adjunct professor at the University of San Francisco School of Management, and the founder of Fluent in Finance. “By proactively managing risks, organizations can minimize disruptions and protect their assets, stakeholders, and long-term viability.”
Here are some of the top reasons that business risk mitigation is important:
- Maintain the Existence and Profitability of a Business: Some risks can torpedo the very existence of a business — especially if they happen when the business hasn’t prepared for them. Business leaders must identify and assess risks and figure out ways to lessen or eliminate high-priority risks.
- Maintain a Business Reputation for Stability: Some risks, when they happen, can damage a company’s customer relationships. Business leaders want customers to be able to trust the stability of a business. Preparing for risks helps ensure that stability.
- Keep Internal and External Stakeholders Happy: Both employees and external stakeholders want a business to succeed and be prepared for negative risks. Making sure your team performs good risk management — including risk mitigation — will give internal and external stakeholders confidence that the business is ready for any negative events.
- Keep Your Business Properties Safe from Natural Disasters: Uncontrollable natural events, such as catastrophic weather events (tornadoes, floods, and hurricanes), can pose as much of a threat to a business as economic forces. Your team should prepare business properties for those potential events. EaaS Consulting. “You're not going to put all your wiring in a basement or the ground floor. You have to do these little things.” “If you’re opening a business in Florida, prepare for hurricanes,” says Erika Andresen, a business continuity and resilience expert, author, and founder of
- Keep Your Staff and Others Safe: The mitigation measures you need for weather events will also protect the safety of your staff and others. Mitigation measures against problems such as fire damage can also protect staff and customers.
- Avoid Negative Societal and Economic Impacts: In some cases, risks to your organization can have large societal and economic impacts. Examples include risks to the operations of utilities, government agencies, or internet companies. Perform solid risk mitigation to prevent these negative risks or lessen their impact.
- Know That No One Else Will Do It for You: Many people believe that certain risks just won’t happen or that some government agency or other group is monitoring the situation and will assist if there is a problem. That is often not true.
“This is typical of most Americans — not even just business heads or business leaders — that you don’t think it’s gonna happen to you,” says Andresen. “You think if it does happen, it's not going to be that bad, and that you're going to get help from somewhere else. And all of those things are patently false.”
What Are the Types of Risk Mitigation?
When people talk about the types of risk mitigation, what they’re often referring to are types of risk responses or risk response strategies. Risk mitigation is one possible risk response, but it is not the only one.
Another important thing to remember is that not all risks are negative. There are positive risks — or opportunities — that can happen for your business as well. Experts have outlined five primary ways to respond to negative risks and five primary ways to respond to positive risks, both of which are important to the long-term health of a company.
These are the five primary risk response strategies for dealing with negative risks:
- Avoid: When teams choose to avoid risks, they take measures to eliminate the possibility of the risk occurring at all. Lokenaught explains that this might mean not engaging at all in certain especially risky activities, or avoiding putting a warehouse or other property in risky locations. AzTech International, a California consultancy that helps organizations manage large, complex projects. “‘We’re not likely to succeed in that, so let's change our strategy.’ Avoiding it might be changing strategy or changing an overall business strategy if it’s important enough.” “You just look at the risks, and you go, ‘Those risks are too high,’” says Luis Contreras, President and Principal Consultant for
- Mitigate: Risk mitigation involves taking steps to reduce the likelihood or impact of a risk.
- Transfer: Leaders can choose to transfer a risk to another entity. Buying insurance is a good example of transferring risk. You still take steps to prevent fires at your property, but when you buy fire insurance, the insurance company assumes much of the financial risk if a fire happens.
- Accept: In some cases, it is simply not possible or economically feasible to avoid or mitigate risk. Leaders might choose to accept certain risks that are too costly to try to affect or that are unlikely to happen.“It may not be possible or practical to avoid or reduce a risk,” Lokenauth says. “In these cases, organizations may choose to accept the risk and manage it as it arises.”
- Escalate: In project risk management — though not often in business risk mitigation — leaders choose to escalate certain risks. This response involves providing information on the risk to top organizational leadership, so they can make a decision. This is usually the response to a significant risk that would require significant costs to mitigate.
These are the five primary risk response strategies for positive risks:
- Share: If your company chooses to share a positive risk, that means it will work with another company or entity to take advantage of an opportunity. Sharing positive risk can increase the likelihood and impact of opportunities. However, they also require that the company split the resulting benefits.
- Exploit: When a company chooses to exploit a positive risk, it devotes special attention and resources to making sure an event happens.
- Enhance: Companies can enhance positive risks by improving the likelihood that it will happen. This is different from exploiting a risk, because the possibility still exists that the opportunity will never arise.
- Accept: If your company understands that a positive risk might happen, it might prepare to act on it without investing resources to try to increase the chances that it will happen.
- Escalate: As with escalating negative risks, your team can escalate positive risks to company leadership to make decisions about which strategy to implement. This is common when teams identify opportunities that could have enormous benefit to the company but might take a large investment to enhance or exploit.
You can learn much more about risk assessments, and the primary ways that project managers and organizations can respond to both negative and positive risks, in this essential guide to project risk assessments.
Risk Mitigation Strategies
Businesses use a number of strategies to help them respond to business risks. These can include overall risk and contingency planning, as well as tactical moves, such as hiring a risk manager or outside risk management consultant.
Here are some overall risk response strategies teams can use:
- Risk Management Planning: Teams will very often produce a risk management plan for individual projects, but they can also create a risk management plan for an entire enterprise. This plan should describe how your team plans to identify, assess, respond to, and mitigate risks to the organization. You can learn much more about risk management plans and planning and can download risk management plan templates.
- Contingency Planning: Contingency planning is usually a part of project risk management, but teams can create contingency plans for their entire organization. Contingency plans include specific actions your team will take if a risk actually happens. The contingency plan might include extra funds or extra staff to respond to a risk.
- Business Continuity Planning: Business continuity planning is the most common risk response strategy that organizations use to deal with risks to the entire enterprise. For specific projects, organizations will more often use strategies such as contingency planning and project risk management planning. The goals of business continuity planning are to identify important risks to the organization and make plans for what the organization will do to lessen or eliminate those risks.
You can learn much more about business continuity plans. You can also download business continuity plan templates.
- Setting Aside Contingency Reserves: These are funds an organization sets aside to help it deal with and mitigate important risks if they happen.
- Employing a Risk Manager: Many organizations choose to employ a full-time risk manager to oversee the organization’s entire risk management program. This role may involve helping with project risk management, or overseeing the more general management of risk and compliance across an organization.
- Contracting with Outside Consultancies: Many organizations contract with outside risk experts to help with risk assessments and business continuity planning.
- Employee Training: Forward-thinking organizations also conduct employee training and drills to bolster their contingency and risk mitigation plans. The training helps employees understand what they should be doing if a risk happens. You can learn more about such training and drills as part of contingency plans.
- Product Testing: For software and technology companies especially, it’s important to do product testing throughout the development of a product. That testing will lower the risk that your organization will have to spend extra money to fix problems or to repeat development work.
- Following Information Security Best Practices: Information security issues are a huge risk for many organizations. Most organizations understand the importance of good information security practices, such as implementing strict password policies and two-factor authentication requirements.
Risk Mitigation Best Practices
Experts recommend following certain best practices for business risk mitigation. Some best practices include being proactive in identifying and assessing risks and making management policies clear to all stakeholders.
Here are some important best practices for business risk mitigation:
- Create a Strong Culture of Risk Management: It’s important that your organization and its leaders understand the importance of investing in solid risk management. Avoid the temptation to believe that risk management is not important or necessary.
“Humans want to avoid risks, so we want to even avoid the discussion of risks,” Contreras says. “Good risk management forces you to have those discussions. You have to face them and look them in the eye, then make some decisions on how you're going to handle them. Don't let it fall by the wayside.” - Involve Stakeholders: Make sure you communicate with and involve stakeholders in your risk management work. That means asking for their input as you identify and assess risks.
- Create a Clear and Transparent Risk Management Framework and Policy: Your organization should outline the basics of its risk management program in a risk management policy. Everyone in your organization should have access to and understand that policy.
“A risk management policy should outline the organization's approach to risk management, including the roles and responsibilities of different stakeholders; the processes for identifying, analyzing, and responding to risks; and the methods for monitoring and reviewing the effectiveness of risk management efforts,” Lokenauth says. - Be Proactive: It is vital for any organization to be proactive and aggressive in identifying and planning for risks.
Lokenauth recalls a time when he worked for a large company in New York that wasn’t prepared for all risks. When Hurricane Sandy hit in October 2012, the firm had no place for its employees to work.
“We were home for a week or two getting paid, and we weren't doing any work,” he says. “Things weren't getting done. It took them about a week or two to send us laptops. And then it took another week to try to figure out where to put us, to rent some space in Jersey City. If they had a plan in place for a thing like that, it would have been better.
“It's important to be proactive about identifying and addressing potential risks rather than waiting for them to occur,” he says.
Contreras adds that a business leader’s perspectives on risks can affect how an entire company approaches risk — either to the company’s benefit or to their detriment.
“Small and medium-sized businesses are usually led by one big leader,” he says. “That leader’s perspective can really sway the business — and maybe not in a good way. The leader might be super optimistic, always thinking, ‘Yeah, we can do this.’ But the leadership team really needs to look at things and ask, ‘What if it doesn’t go?’ What would be the downside here? What are the things that can go wrong?’ So you want to get people in a room and start thinking negatively. ‘What are the things that can go wrong? And what can we do about them? What can we do to mitigate them?’” - Be Comprehensive: It’s important that your organization thinks about risks in all areas. Avoid focusing only on what leaders think might be the most obvious areas for risk.
“It's important to develop a comprehensive risk management plan rather than focusing on individual risks in isolation,” Lokenauth says. - Seek Insight from Outsiders: Many organizations find it helpful to enlist outside groups or consultants to help them identify and assess risks for the organization. Outside groups see things from a fresh perspective and can provide valuable insights.
It’s important, Lokenauth says, “to work with a third party who doesn't know the business because you want independent eyes. You want someone to come in and tell you what you don't see.”- Look at Other Companies’ Risk Assessments for Guidance: The risk assessments of many companies might not be available to you, but the U.S. Security and Exchange Commission requires publicly traded companies to detail some of their risk assessments in their 10K annual reports.
Lokenauth recommends looking at the risk factors summary section of an annual report to see what risks that company has identified and what they plan to do to respond to those risks. “If you want to find examples,” he says, “look for another peer or competitor in the same industry and at their annual report.
”You can find public companies’ annual reports through the federal government’s EDGAR database. Public companies also tend to offer access to their 10K report on their website.
Below are examples of four public companies and the broad categories of risk that they have included in past 10Ks.
Broad Risk Categories That Selected Public Companies Use in Their Annual 10Ks Company Industry Size Sample Risk Categories
Apple (AAPL)
Computers and Technology
Large Company- Macroeconomic and Industry Risks
- Business Risks
- Legal and Regulatory Compliance Risks
- Financial Risks
- General Risks
Exelixis (EXEL) Drug Discovery Midsized Company - Risks Related to the Commercialization of Our Products
- Risks Related to Growth of Our Product Portfolio and Research and Development
- Risks Related to Financial Matters
- Risks Related to Our Relationships with Third Parties
- Risks Related to Healthcare Regulatory and Other Legal Compliance Matters
- Risks Related to Our Information Technology and Intellectual Property
- Risks Related to Our Operations, Managing Our Growth and Employee Matters
- Risks Related to Environmental and Product Liability
- Risks Related to Our Common Stock
Allegiant Travel (ALGT) Airline Small Public Company - Risks Related to the COVID-19 Pandemic
- Risks Related to Allegiant Risks Associated with the Airline and Travel Industry
- Risks Related to Our Stock Price
- Risks Associated with the Airline and Travel Industry
- Risks Related to Allegiant Risks Related to the Company Stock Price
- Risks Related to the COVID-19 Pandemic
Masimo (MASI)Medical Device Manufacturer Small Public Company - Summary of Material Risk Factors
- Risks Related to Our Revenues
- Risks Related to Our Intellectual Property
- Risks Related to Our Regulatory Environment
- Risks Related to Our Business and Operations
- Risks Related to Our Stock
- General Risk Factors
- Look at Other Companies’ Risk Assessments for Guidance: The risk assessments of many companies might not be available to you, but the U.S. Security and Exchange Commission requires publicly traded companies to detail some of their risk assessments in their 10K annual reports.
- Conduct Employee Training or Drills: Risk mitigation isn’t finished once a company writes a contingency plan. Leaders must also train employees to perform the actions outlined in the plan. They must also determine whether that contingency plan is going to be effective by performing drills. You can learn more about training and drills in contingency planning.
- Continuously Monitor Possible Risks: Too many organizations perform one risk assessment, then believe they are finished — sometimes for a year or two or more, experts say. However, risks are constantly changing, and organizations need to continually identify and assess new risks to avoid costly oversights. That means requiring routine risk assessments and creating a culture that is always monitoring and addressing new risks.
“You want to establish policies on how you identify and monitor risks, and you want to monitor them every month,” Lokenauth says. That can be as simple as making sure your risk department works through a monthly checklist of risks that you are tracking and what’s happening with them. It also means watching for new risks or for changing circumstances around current risks, experts say. - Make Changes Where Needed: When your organization’s continual assessment shows that a new risk has arisen, or that an older risk is changing, it must make changes in its risk response plan.
“If you grow as a company, you now have a different footprint in which you need to assess your risk,” Andresen says. “If you shrink — again, you have a different footprint. You might not need the same control measures or countermeasures, and you can put that money somewhere else.” - Communicate Your Risk Management Plans: It’s vital that your organization communicates often and effectively with organization leaders, employees, and other stakeholders about the organization’s risk management work.
What Is the Risk Mitigation Process?
Experts sometimes use the term risk mitigation process to describe how organizations identify, assess, and prepare to lessen or mitigate risks. More often, experts use the term risk management to describe that work.
Here are the seven basic steps of the risk management process:
- Identify All Possible Risks: Gather a team or multiple teams to offer input on all possible risks to your organization. You might do this through formal meetings or gather input in other ways.
“The first thing you would do is have every department do their risk analysis — but not in a silo,” Andresen says. “You do want them talking to each other. Because you’ll get some people being inspired by the others. You’ll get others validating the risk of others. And you get a whole operating picture of the entire company: ‘Where are we weak? Where are we strong?’”
Lokenauth suggests using such options as “brainstorming sessions, risk assessments, or reviewing industry data” to identify risks.
Ask everyone involved — internally and externally — to think broadly about all possible risks. Your team can use a questionnaire to assess potential risks to your organization and analyze its risk culture. - Analyze Risk Probability and Impact: After your team identifies all risks, it will need to assess each risk’s probability and the potential impact on your business.
“You have to figure out what exactly is the most vital piece of your ability to conduct your business, then figure out the risks to that,” Andresen says. “Then you have to look at internal and external risks. What are the internal risks that you can encounter? And what are your external risks that you could potentially encounter? How do you want to solve for them?
”Contreras notes that your team can also assess the top risks for various departments within your organization, along with various kinds of risks. “If, say, it's a supplier risk, what are the top three suppliers that we should be concerned about?” he says. “And what are the top three infrastructure risks? What are the top three HR staffing risks that we have?” - Prioritize Risks: Once your team has studied and assessed the probability and potential impact of each risk, it must then prioritize which risks are most important to address.
“As the likelihood becomes very high — let's say over 50 percent — then you decide, ‘OK, we need to do something to mitigate that,’” Contreras says. “Then the second determination would be: ‘What's the cost?’ If it’s high likelihood and high dollars, those are the ones you do want to focus on — the more likely it is to happen and the more obvious the cost impact.”
For example, a risk that could cost your organization millions of dollars will take priority over a risk that would cost them thousands at most. Similarly, a risk that is almost certain to happen will take priority over a risk that has almost no chance of happening. - Create Response Plans: Create plans to deal with or lessen the effects of the most important risks. Your organization likely won’t have the resources to mitigate every risk your company identifies. That’s why you prioritize the most important risks to face.
“The next step is to develop responses to address the important risks,” Lokenauth says. “This may involve implementing controls or safeguards to prevent the risk from occurring, transferring the risk to a third party, or accepting the risk and managing it as it arises.”
Lokenauth adds that your team should consider the costs to your organization of mitigating even the high-priority risks. If mitigating a high-priority risk will be prohibitively expensive, an organization might decide to simply accept that risk, while mitigating lower-priority risks. - Track and Monitor Risks: Remember that business risk mitigation is an ongoing, evolving process. Continually track risks and potential changes in risk probability or impact.
Contreras suggests that risk teams hold regular meetings to assess and monitor risks. “You probably should make it monthly — where you revisit the risks, and you're either changing the probability, or you're taking some out because they didn't happen, or some of them occurred,” he says. “Now, it becomes not a risk, but an issue — a problem that you have to begin to solve.” - Monitor Mitigation Measures: Your organization should also monitor its mitigation measures. Monitor how and whether your teams are implementing risk mitigation measures. In addition, monitor how the mitigation measures are working and what risks have already occurred.
- Report to Organization Leaders: Regularly report to organizational leaders about ongoing risks and mitigation measures.
Example Risk Response Plan
Download a Sample Business Risk Response Plan for
Excel
|
Microsoft Word
Download this completed example business risk response plan that can help your team understand how to write a risk response plan for your organization. This plan includes sample data, with components such as include risk, risk severity, description of mitigation plans for that risk, and if and how those mitigation plans are working. Use this template as a starting point, and customize it to create your own business risk response plan.
Risk Mitigation by Departments and Broad Areas
Teams can assess business risks by department, such as operations or sales. They can also assess them by broad categories, such as technical risks or compliance risks. This will help organizations avoid costly oversights during risk mitigation.
Organizations might assess risk in various departments, such as the following:
- Finance
- Human Resources
- Legal
- Operations
- Sales
They might also assess risks in broader, thematic areas. Those areas might include:
- Compliance Risks: There can be risks in areas where laws or government rules require certain actions and issue penalties for noncompliance.
- Management Risks: There can be risks surrounding a company’s management, such as a key leader leaving the company.
- Operational Risks: Risks can arise based on the operational structure of your organization, such as how it sources materials or hires staff members.
- Overall Costs Risks: Some risks threaten to significantly increase your company’s costs to operate.
- Reputational Risks: Some risks relate to your company’s image and reputation among customers or clients.
- Resources Risks: There can be risks to the resources your company needs to operate.
- Strategic Risks: Some risks involve a company’s overall business strategy.
- Technical Risks: There can be risks related to technology your company is using or producing.
Your team might also consider doing what is called a PESTLE analysis. In this analysis, your team considers the overall business environment and potential risk in six areas: political, economic, social, technological, environmental, and legal.
Tip: You might see this type of analysis written as a PESTEL analysis. Both acronyms indicate the same six areas but are written in a different order.
PESTLE Analysis Template
Download a PESTLE Analysis Template
Excel
|
Microsoft Word
Download this template to help guide you through a PESTLE analysis. This analysis helps your team focus on and think about risks to the business in six broad areas. Use the empty columns to list potential risks to your organization in each category and summarize your risk mitigation plan.
Risk Mitigation Tools
A variety of tools are available to help your team assess and mitigate risks. These include risk management plans and assessments. Many companies also use risk assessment frameworks (RAFs), which specifically measure IT risks.
These are some tools that can help all companies with risk management and risk mitigation:
- Risk Assessment Matrix: A risk assessment matrix can help your team calibrate risks based on probability and likelihood.
- SWOT Analysis: A SWOT analysis can help your team analyze threats to your organization, along with strengths, weaknesses, and opportunities.
- Root Cause Analysis: A root cause analysis can help your team determine the root cause of an issue or problem affecting your company.
- Business Impact Analysis: A business impact analysis is a process that teams work through to assess the possible effects of major interruptions to an organization’s operations. Most often, these potential interruptions are events such as natural disasters, major accidents, or other emergencies.
These are some common RAFs that IT experts use:
- Factor Analysis of Information Risk (FAIR)
- Committee of Sponsoring Organizations of the Treadway Commission (COSA) Risk Management Framework
- Control Objectives for Information Technologies (COBIT) from the Information Systems Audit and Control Association
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework from Carnegie Mellon University
- Risk Management Framework from the National Institute of Standards and Technology (NIST)
- Threat Agent Risk Assessment (TARA), created by Intel
Risk Mitigation vs. Contingency
A risk mitigation plan might include a contingency reserve or contingency. While the risk mitigation plan includes many elements, the contingency is simply a reserve of funds, time, or other resources that can help mitigate certain risks.
Risk Mitigation vs. Risk Management
Risk mitigation is one part of the entire risk management process. When your organization performs risk management, it will perform risk assessments that might call for risk mitigation.
Stay on Top of Business Risks with Real-Time Work Management in Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.