Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business. Comparable to risk reduction, risk mitigation takes steps to reduce the negative effects of threats and disasters on business continuity (BC). Threats that might put a business at risk include cyberattacks, weather events and other causes of physical or virtual damage. Risk mitigation is one element of risk management and its implementation will differ by organization.
What is the goal of risk mitigation?
Risk mitigation is the process of planning for disasters and having a way to lessen negative impacts.
Although the principle of risk mitigation is to prepare a business for all potential risks, a proper risk mitigation plan will weigh the impact of each risk and prioritize planning around that impact. Risk mitigation focuses on the inevitability of some disasters and is used for those situations where a threat cannot be avoided entirely. Rather than planning to avoid a risk, mitigation deals with the aftermath of a disaster and the steps that can be taken prior to the event occurring to reduce adverse and, potentially, long-term effects.
Ideally, an organization would be prepared for all risks and threats and avoid them entirely. However, having a risk mitigation plan can help an organization prepare for the worst, acknowledging that some degree of damage will occur and having systems in place to confront that.
What's in a risk mitigation plan?
When creating a risk mitigation plan, there are a few steps that are fairly standard for most organizations. Recognizing recurring risks, prioritizing risk mitigation and monitoring the established plan are vital aspects to maintaining a thorough risk mitigation strategy.
There are five general steps in the design process of a risk mitigation plan:
- Identify all possible events in which risk is presented. A risk mitigation strategy takes into account not only the priorities and protection of mission-critical data of each organization, but any risks that might arise due to the nature of the field or geographic location. A risk mitigation strategy must also factor in an organization's employees and their needs.
- Perform a risk assessment, which involves quantifying the level of risk in the events identified. Risk assessments involve measures, processes and controls to reduce the impact of risk.
- Prioritize risks, which involves ranking quantified risk in terms of severity. One aspect of risk mitigation is prioritization -- accepting an amount of risk in one part of the organization to better protect another. By establishing an acceptable level of risk for different areas, an organization can better prepare the resources needed for BC, while putting fewer mission-critical business functions on the back burner.
- Track risks, which involves monitoring risks as they change in severity or relevance to the organization. It's important to have strong metrics for tracking risk as it evolves, and for tracking the plan's ability to meet compliance requirements.
- Implement and monitor progress, which involves reevaluating the plan's effectiveness in identifying risk and improving as needed. In business continuity planning, testing a plan is vital. Risk mitigation is no different. Once a plan is in place, regular testing and analysis should occur to make sure the plan is up to date and functioning well. Risks facing data centers are constantly evolving, so risk mitigation plans should reflect any changes in risk or shifting priorities.
Types of risk mitigation strategies
There are several types of risk mitigation strategies. Often, these strategies are used in combination with each other, and one may be preferable over another, depending on the company's risk landscape. They are all part of the broader practice of risk management.
- Risk avoidance is used when the consequences are deemed too high to justify the cost of mitigating the problem. For example, an organization can choose not to undertake certain business activities or practices to avoid any exposure to the threat they might pose. Risk avoidance is a common business strategy and can range from something as simple as limiting investments to something as severe as not building offices in potential war zones.
- Risk acceptance is accepting a risk for a given period of time to prioritize mitigation effort on other risks.
- Risk transfer allocates risks between different parties, consistent with their capacity to protect against or mitigate the risk. One example of this would be a defective product built with some amount of third-party material. The producer of the product may transfer responsibility for a certain fraction of the risk because of this.
- Risk monitoring is the act of watching projects and the associated risks for changes in the impact of the associated risks.
Risk can affect any combination of performance, cost and scheduling; therefore, different strategies should be used to address risks based on the way they affect these factors. For example, it might be more important for a company to perform well than for it to save money in a certain project scenario. The company would likely employ a risk acceptance strategy, temporarily prioritizing risks that affect performance more heavily than cost.
Risk mitigation best practices
Below are some risk mitigation best practices that information security professionals should follow:
- Make sure stakeholders are involved at each step. Stakeholders may be employees, managers, unions, shareholders or clients. All perspectives are important for developing a comprehensive, holistic risk mitigation strategy.
- Create a strong culture around risk management. This means communicating the values, attitudes and beliefs surrounding risk and compliance from the top down. It's important for every employee to have risk awareness, but the probability of a strong culture is greatly improved when management sets the tone.
- Communicate risks as they arise. Risk awareness must be strong throughout the entire organization, so facilitating communication of new, high-impact risks is important to keep everyone up to speed.
- Ensure risk management policy is clear so employees are able to follow it. Roles and responsibilities should be clearly defined, and each defined risk needs a clear process for dealing with it.
- Continuously monitor possible risks. Risk monitoring practices should also be clearly defined and implemented to continuously improve the risk mitigation plan.
Risk mitigation tools
One commonly used risk mitigation tool is a risk assessment framework (RAF). An RAF provides an organization with an outline of which systems are at high or low risk and presents information for both technical and nontechnical personnel. An RAF can be used as a risk mitigation tool by presenting consistent risk assessment and reporting methods.
Common RAFs include the Risk Management Guide for Information Technology Systems from the National Institute of Standards and Technology (NIST); the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from Carnegie Mellon University; and Control Objectives for Information and Related Technology (COBIT) from the Information Systems Audit and Control Association (ISACA). The Mitre website also offers comprehensive guidelines for risk mitigation.
Some other commonly used risk mitigation tools are:
- A probability and impact matrix.
- A SWOT (strengths, weaknesses, opportunities, threats) analysis.
- A root cause analysis.
Along with having a keen understanding of internal needs and resources, external specialists can also be a beneficial part of a risk mitigation plan. Several BC and disaster recovery (DR) vendors focus on risk mitigation, and even smaller organizations can take advantage of DR as a service (DRaaS) vendors to keep costs relatively low.