11/14/22, 10:31 AM What is Risk Mitigation?

Definition, Strategies and Planning

Ben Lutkevich, Technical Writer

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business. Comparable
to risk reduction, risk mitigation takes steps to reduce the negative effects of threats and disasters
on business continuity (BC). Threats that might put a business at risk include cyberattacks, weather events
and other causes of physical or virtual damage. Risk mitigation is one element of risk management and its
implementation will differ by organization.

What is the goal of risk mitigation?

Risk mitigation is the process of planning for disasters and having a way to lessen negative impacts.

Although the principle of risk mitigation is to prepare a business for all potential risks, a proper risk mitigation
plan will weigh the impact of each risk and prioritize planning around that impact. Risk mitigation focuses on
the inevitability of some disasters and is used for those situations where a threat cannot be avoided entirely.
Rather than planning to avoid a risk, mitigation deals with the aftermath of a disaster and the steps that can
be taken prior to the event occurring to reduce adverse and, potentially, long-term effects.

Ideally, an organization would be prepared for all risks and threats and avoid them entirely. However, having
a risk mitigation plan can help an organization prepare for the worst, acknowledging that some degree of
damage will occur and having systems in place to confront that.

A diagram laying out the steps in risk mitigation plan development.

https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation 1/4
11/14/22, 10:31 AM What is Risk Mitigation? Definition, Strategies and Planning

What's in a risk mitigation plan?

When creating a risk mitigation plan, there are a few steps that are fairly standard for most organizations.
Recognizing recurring risks, prioritizing risk mitigation and monitoring the established plan are vital aspects
to maintaining a thorough risk mitigation strategy.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

risk map (risk heat map)

There are five general steps in the design process of a risk mitigation plan:

1. Identify all possible events in which risk is presented. A risk mitigation strategy takes into account
not only the priorities and protection of mission-critical data of each organization, but any risks that might
arise due to the nature of the field or geographic location. A risk mitigation strategy must also factor in an
organization's employees and their needs.
2. Perform a risk assessment, which involves quantifying the level of risk in the events identified. Risk
assessments involve measures, processes and controls to reduce the impact of risk.
3. Prioritize risks, which involves ranking quantified risk in terms of severity. One aspect of risk mitigation
is prioritization -- accepting an amount of risk in one part of the organization to better protect another.
By establishing an acceptable level of risk for different areas, an organization can better prepare the
resources needed for BC, while putting fewer mission-critical business functions on the back burner.
4. Track risks, which involves monitoring risks as they change in severity or relevance to the organization.
It's important to have strong metrics for tracking risk as it evolves, and for tracking the plan's ability to
meet compliance requirements.
5. Implement and monitor progress, which involves reevaluating the plan's effectiveness in identifying
risk and improving as needed. In business continuity planning, testing a plan is vital. Risk mitigation is no
different. Once a plan is in place, regular testing and analysis should occur to make sure the plan is up to
date and functioning well. Risks facing data centers are constantly evolving, so risk mitigation plans
should reflect any changes in risk or shifting priorities.

Types of risk mitigation strategies

There are several types of risk mitigation strategies. Often, these strategies are used in combination with
each other, and one may be preferable over another, depending on the company's risk landscape. They are
all part of the broader practice of risk management.

Risk avoidance is used when the consequences are deemed too high to justify the cost of mitigating the
problem. For example, an organization can choose not to undertake certain business activities or
practices to avoid any exposure to the threat they might pose. Risk avoidance is a common business
https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation 2/4
11/14/22, 10:31 AM What is Risk Mitigation? Definition, Strategies and Planning

strategy and can range from something as simple as limiting investments to something as severe as not
building offices in potential war zones.
Risk acceptance is accepting a risk for a given period of time to prioritize mitigation effort on other risks.
Risk transfer allocates risks between different parties, consistent with their capacity to protect against or
mitigate the risk. One example of this would be a defective product built with some amount of third-party
material. The producer of the product may transfer responsibility for a certain fraction of the risk because
of this.
Risk monitoring is the act of watching projects and the associated risks for changes in the impact of the
associated risks.

Risk can affect any combination of performance, cost and scheduling; therefore, different strategies should
be used to address risks based on the way they affect these factors. For example, it might be more important
for a company to perform well than for it to save money in a certain project scenario. The company would
likely employ a risk acceptance strategy, temporarily prioritizing risks that affect performance more heavily
than cost.

A diagram showing how quantitative risk assessment can be used to evaluate the likelihood and impact of risk events.

Risk mitigation best practices

Below are some risk mitigation best practices that information security professionals should follow:

Make sure stakeholders are involved at each step. Stakeholders may be employees, managers,
unions, shareholders or clients. All perspectives are important for developing a comprehensive, holistic
risk mitigation strategy.
Create a strong culture around risk management. This means communicating the values, attitudes
and beliefs surrounding risk and compliance from the top down. It's important for every employee to have
risk awareness, but the probability of a strong culture is greatly improved when management sets the
tone.
Communicate risks as they arise. Risk awareness must be strong throughout the entire organization,
so facilitating communication of new, high-impact risks is important to keep everyone up to speed.

https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation 3/4
11/14/22, 10:31 AM What is Risk Mitigation? Definition, Strategies and Planning

Ensure risk management policy is clear so employees are able to follow it. Roles and responsibilities
should be clearly defined, and each defined risk needs a clear process for dealing with it.
Continuously monitor possible risks. Risk monitoring practices should also be clearly defined and
implemented to continuously improve the risk mitigation plan.

Risk mitigation tools

One commonly used risk mitigation tool is a risk assessment framework (RAF). An RAF provides an
organization with an outline of which systems are at high or low risk and presents information for both
technical and nontechnical personnel. An RAF can be used as a risk mitigation tool by presenting consistent
risk assessment and reporting methods.

Common RAFs include the Risk Management Guide for Information Technology Systems from the National
Institute of Standards and Technology (NIST); the Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) from Carnegie Mellon University; and Control Objectives for Information and Related
Technology (COBIT) from the Information Systems Audit and Control Association (ISACA). The Mitre
website also offers comprehensive guidelines for risk mitigation.

Some other commonly used risk mitigation tools are:

A probability and impact matrix.

A SWOT (strengths, weaknesses, opportunities, threats) analysis.
A root cause analysis.

Along with having a keen understanding of internal needs and resources, external specialists can also be a
beneficial part of a risk mitigation plan. Several BC and disaster recovery (DR) vendors focus on risk
mitigation, and even smaller organizations can take advantage of DR as a service (DRaaS) vendors to keep
costs relatively low.

https://www.techtarget.com/searchdisasterrecovery/definition/risk-mitigation 4/4