The ultimate purpose of risk identification and analysis is to prepare for risk mitigation which includes reduction of the likelihood that a risk event will occur, and/or reduction of the effect of a risk event if the latter does occur. This time, we will show you the strategies to reduce or mitigate such risk and discuss the importance of risk mitigation planning and management in the first place.
RISK MITIGATION STRATEGIES
We can define risk mitigation as a process, in which we take steps to reduce adverse effects. There are five types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a mitigation strategy that is based on the cost/benefit analysis of possible mitigations and which closely relates to and matches your company’s profile.
“ACCEPT” RISK strategy
With some risks, the expenses involved in mitigating the risk is more than the cost of tolerating the risk. In this situation, the risks should be accepted and carefully monitored.
“AVOID” RISK strategy
In general, risks should be avoided that involve a high probability impact for both financial loss and damage.
“TRANSFER” RISK strategy
Risks that may have a low probability of taking place but would have a large financial impact should be mitigated by being shared or transferred, e.g. by purchasing insurance, forming a partnership, or outsourcing.
“REDUCE” RISK strategy
The most common mitigation strategy is risk limitation, e.g. businesses take some type of action to address a perceived risk and regulate their exposure. Risk limitation usually employs some risk acceptance and some risk avoidance.
“HEDGING” RISK strategy
Hedging assumes the additional risk that works in the opposite direction as the mitigated risk. While natural hedging organizes the business in a way that “internal” risks offset each other, external hedging uses the instruments that create offsetting risks (e.g. by locking the price secures us against the price fluctuations).
RISK MITIGATION PLANNING AND MANAGEMENT
Risk management is an ongoing effort that cannot stop after the risk identification phase or after a qualitative risk assessment. One Monte Carlo simulation or the setting of contingency levels cannot be your final destination!
This is why risk mitigation and management needs to be a long-term project that never truly ends. Some of the key issues when planning risk mitigation are:
• Do a cost-benefit analysis of mitigation effects vs. mitigation costs. If the mitigation costs are too high, it is best to assume the risk. Too often marginal risks are addressed just in case.
• Compare risk effects to risk tolerance or (appetite) if the risk is too high, then risk mitigation needs to be undertaken even if it might not be cost-effective.
• Risk mitigation should be approached like any initiative in a company with clearly divided responsibility, budgets and deadlines.
This accounts for the planning process of new risk mitigation measures, but existing measures also need to be continuously addressed. If risk mitigation is all about planning new measures, there is a danger that existing mitigation actions are neglected. Therefore, continuous management of existing measures is needed:
• Are the mitigation actions working as planned and are the activities being carried out?
• Occasional testing or audit of mitigation measures ensures that everyone remains vigilant.
• When incidents or near misses happen, it is critical to investigate which mitigation measures were not working.
LIMITS OF RISK MITIGATION
Another important issue to remember is that no risk mitigation measure is fully bulletproof. There always exist ways for things to go wrong that no one has thought of, as proven by almost all major man-made disasters ever. As a response to this, it is best to think risk measures as layers of swiss cheese, that stand in a way of a threat and an ultimate loss. Each layer reduces the risk somewhat but is ultimately imperfect.
Therefore it is important to prepare to act flexibly when risk indeed realizes.
If Dwight D. Eisenhower would be talking about risk management battles he would say “In preparing for the (risk management) battles, I have always found that (risk management) plans are useless, but planning is indispensable.”
P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:
How to manage risks systematically?
Risk assessment [Part 1]: Setting up the risk measurement framework
Risk assessment [Part 2]: How to assess risks in practice?
Contact our team if you need help with risk assessment.
For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.