Business is inherently risky.
Types of risk abound: financial, legal, regulatory, reputational and more.
In the most extreme scenarios, failing to maintain an acceptable level of risk could result in injury or death, as in a factory; or, in the case of critical infrastructure, widespread economic catastrophe.
Even when the potential losses are less dire, however, every business, large and small, needs an effective risk management program, both as part of its project management and its overall enterprise management. This program should consider all the risks posed to the business: internal risks as well as external, including supply-chain risks.
Every risk management program will follow essentially the same action plan:
- Risk assessment
- Risk identification, including the root cause
- Risk analysis: weighing the probability of impact of the risk, if it materializes, against acceptable loss
- Risk prioritization
- Risk mitigation
- Risk monitoring
The centerpiece is careful risk mitigation planning.
“Mitigation” as defined by the Merriam-Webster dictionary means, “the process or result of making something less severe, dangerous, painful, harsh, or damaging.”
In project risk management and enterprise risk management, however, “mitigation” can have other meanings. In some cases, it can mean accepting a particular risk, aiming for a peaceful co-existence, or ignoring it altogether.
Risk mitigation strategies can also involve proactively thwarting identified risks from materializing by using controls, such as:
- Identity access management (IAM), limiting access to sensitive areas of a system or network to only the people who need it
- Segregation of duties, which, according to the American Institute of Certified Public Accountants, means “shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department” to reduce the risk of fraud and errors. This segregation is important to sound decision making. For instance, the developer of an application and the person pushing that app into production should be different people.
Conventional wisdom holds that there are four common risk mitigation strategies, typically avoidance, acceptance, transference and reduction or control. However, we’ve come up with 11 risk mitigation actions that your enterprise or project manager can take as part of your overall risk management strategy.
- Risk acceptance. Sometimes, the chance that something might happen is so minuscule, or the effects would be so negligible, that the risk hardly seems worth devoting time or effort to. If the probability of occurrence or its impact is low, you might opt for risk acceptance. For instance: As you’re crossing the street, the traffic light overhead could fall and strike you. But is this likely to happen? Probably not. So you accept the risk, and cross, anyway.
- Risk avoidance. Avoiding a risk often means not performing the risk event, or the act that carries the risk. Lending money to a customer who has defaulted on loans in the past poses a credit risk—that they will not repay you—so you might refuse their loan application.
- Risk transfer. When it isn’t feasible to accept or avoid risk, risk transference may be the best response. Driving with caution can reduce the chance of an accident, but we can’t be certain that others will drive carefully. Buying auto insurance allows us to transfer the risk to the insurer.
- Risk sharing. Spreading the risk by involving business partners, stakeholders, and other third parties means that, should the risk materialize, you won’t have to bear the responsibility or loss alone.
- Risk buffering. This involves giving the situation that creates the risk a bit of “padding.” Would adding people to your project’s team or extending its deadline reduce the risk of not finishing on time? Would having extra supplies on hand eliminate the risk of running out?
- Risk strategizing. Closely related to risk buffering, risk strategizing involves developing a “plan B,” or contingency plan, for certain risks. Is the project’s size making risk management a challenge? Have an alternate plan for handling it in segments.
- Risk testing. Running exhaustive tests to make sure your development project is secure or works as intended can ratchet its risk level way down. Resist the temptation to rush through or skip the testing phase to meet a deadline.
- Risk quantification. If risk were to materialize, how much money might your enterprise lose? Quantifying risks can help you make other decisions about them such as whether to buy insurance (risk transfer) or spread the risk and responsibility among additional stakeholders (risk-sharing) and where to place it among priorities in your risk register.
- Risk deferral. When it comes to new risks and potential risks, there’s no such thing as too much information. If you need to know more before you can determine a project’s or new product’s risk level or quantify its risk, putting it off until you get the answers may be the best solution to ward off disaster.
- Risk reduction. Using risk controls to reduce project or enterprise risk—perhaps with an auditor’s help—can not only improve the safety and security of your projects and the overall enterprise but provide you with certifications that can boost your business, as well. Popular frameworks for managing risk with controls include
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. This framework helps organizations minimize risk overall with processes and improved controls.
- International Organization for Standardization (ISO) 31000:2018, Risk management—Guidelines.
- Risk digitization. Digital risks call for digital solutions to risk management. Are you using spreadsheets or other old-fashioned risk management tools to track and manage your risk mitigation strategies and overall risk management program, or have you joined the digital age with high-quality, user-friendly governance, risk management, and compliance solution?