4 basic types of business risks in the enterprise Risk appetite vs. risk tolerance: How are they different?

7 risk mitigation strategies to protect business operations

Enterprises facing a multitude of threats and vulnerabilities have several options to identify, manage and mitigate risks, including risk acceptance, avoidance and transference.

Without risks to manage and threats to mitigate, life in business would be a lot easier. Internal risks, external risks and threats can disrupt or destroy the four critical elements that most enterprises need to operate: people, processes, technology and facilities. Each of the four elements can have vulnerabilities.

As part of an enterprise risk management program, risk mitigation strategies must not only identify risks and threats, such as organizational risks, but also stress the importance of identifying vulnerabilities that could open the door to risk events.

Risk mitigation planning

To address risks, threats and vulnerabilities, they must be identified, validated and analyzed to determine the likelihood of an occurrence and its effect on the enterprise's business processes, employees and financials. A priority list should be created to rank each risk according to the likelihood of occurrence and severity of the impact on the enterprise. A high-probability event, for example, that has little or no impact on the enterprise, such as an employee calling in sick for one day, will be treated differently than a low-probability, high-impact event like an earthquake.

Common risk mitigation strategies

Once a priority list has been established, design a strategy and plan the subsequent actions necessary to mitigate the risk, threat or vulnerability. Following are the seven most widely used risk mitigation strategies with some modifications.

Not-so-risky business planning

1. Accept and deal with the risk

The enterprise deems a risk sufficiently non-threatening to business operations and can effectively respond to a threat occurrence. Examples of risk acceptance include: accepting the risk to production schedule delays without damage to the business; accepting adjustments to budget expectations; and accepting the need for employees to continue working remotely.

2. Avoid the risk

The enterprise makes a conscious decision to avoid dealing with a specific risk and its outcome. Examples of risk avoidance include: identifying specific risks and suitable remedies or alternate processes to avoid potential negative outcomes; identifying all costs and unexpected costs for a project to avoid going over budget; and identifying qualified alternate members of a project team who can step in when necessary to avoid project delays.

3. Challenge the risk

When an identified risk emerges, the enterprise slows or terminates the event to an acceptable level before it progresses to the point where it can damage the business. Examples of risk challenge include: evacuating employees in advance of a severe storm to minimize any potential risk to life; launching emergency power systems when a power outage occurs to minimize disruption in operations; and identifying a cybersecurity anomaly and immediately isolating the malware before it can enter the company's internal computing environment.

4. Prioritize the risk

If more than one risk event occurs at the same time, such as a severe storm and loss of power, the organization establishes a priority list of actions to address the most critical risks first. Examples of risk prioritization include: activating backup procedures to protect systems and data due to an impending flood and its potential water damage to an office; and extinguishing a fire, shutting down power supplies and notifying the power company and fire department when a lightning strike causes a transformer to explode.

Identify and classify risk

5. Control and manage the risk

Once risks are identified, assessed and prioritized, the enterprise deals with specific risk incidents, then documents and tests those actions to ensure that they're appropriate and in the proper sequence. Examples of risk control and management include: establishing policies, such as physical security and data protection; developing business continuity and technology disaster recovery plans; and devising methods to track the time and costs spent on projects to ensure that delivery schedules are maintained and cost overruns are prevented.

6. Transfer the risk

Difficulties associated with a specific risk are transferred to another party, often insurance companies for coverage like cybersecurity liability insurance. Examples of risk transfer include: buying business interruption insurance to handle unplanned expenses in the aftermath of a cyber attack; reducing the likelihood of project mishaps by contracting a project management company to handle oversight of a particularly difficult project; and engaging the company's finance department to prevent project cost overruns.

7. Document and monitor the risk

All aspects of enterprise risk management, such as risk profiles, risk factors and inherent risk, are carefully documented at every stage of the process. Likewise, all risk-related activities are monitored to ensure that any issues are quickly identified and addressed. Examples of risk documentation and monitoring include: monitoring costs to prevent unplanned expenses that could send a project over budget; monitoring operational activities to prevent compliance issues; and using intrusion detection systems and firewalls to monitor incoming and outgoing data traffic to identify suspicious data packets that could signal a cyber attack.

Be prepared

Risk mitigation strategies are an important part of an overall enterprise risk management program and its associated risk mitigation planning activities. With multiple strategies available, risk managers have plenty of tools to deal with business risks, threats and vulnerabilities in the enterprise. While different strategies may be used for various risks, definitive mitigation strategies should be in place and ready to use.

Next Steps

Traditional vs. enterprise risk management: How do they differ?

Risk appetite vs. risk tolerance: How are they different?

8 top enterprise risk management trends in 2021

ISO 31000 vs. COSO: Comparing risk management standards

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center