Make Risk Mitigation Work for Your Business (+Template)
The best kind of emergency is one that never happens. But you can manage the impact of unavoidable events with a good risk mitigation plan. In this article, learn the benefits of prioritizing risk mitigation and how to build your own plan.
Emergencies come in many different shapes and sizes, but the thread you need to follow in each case is the potential for harm to your people and operations. Some of these emergencies are simply unavoidable. But the more you can anticipate and prepare for, the better your chances of organizational safety, security, and resilience.
When Hurricane Harvey severely threatened Gulf Coast Regional Blood Center’s operations in Houston, failure wasn’t an option. Gulf Coast residents were in dire need of blood due to the large number of injuries sustained in the hurricane. In short: They didn’t have time to scale back and regroup after the hurricane—they had to adapt right away. So, they used their AlertMedia mass notification system to create ad-hoc procedures to keep blood circulating in the middle of one of the worst storms the U.S. has ever seen. This is the essence of risk mitigation.
To mitigate risk, you don’t have to overhaul your operations. As Steve Richard, SVP of Enterprise Risk Management for Becton Dickinson, puts it, “We focus on avoiding bad things but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM program with as little burden as possible.”
Every business faces risks—weather and natural disasters, occupational hazards, cybersecurity and system outages, and workplace violence—and there is no way to fully avoid every possible risk. But with a good risk management process in place and a strong risk mitigation plan, you can prevent a crisis event from having a massive impact on your business, getting as close as you can to stopping an emergency before it starts.
Download Our Risk Mitigation Plan Template
What Is Risk Mitigation?
Risk mitigation is the process of planning and preparing for a potential threat or emergency in order to lessen the risk and/or impact.
You can mitigate risk for all kinds of emergencies in a variety of ways. For example, to mitigate the risk of workplace violence, you can focus on
- Running active shooter drills
- Performing target hardening on your building to eliminate vulnerabilities
- Training your employees in tactics such as run, hide, fight
For a natural disaster like a hurricane, you can mitigate risk by
- Creating an evacuation plan
- Understanding hurricane categories
- Monitoring for storms to detect them early
- Securing your facilities
- Communicating with employees throughout the event
The risks you face will vary depending on your location and industry—and if your business has multiple locations, there will be different risks to each site. But the goal of risk mitigation is to identify your specific risks properly, and your vulnerabilities to those risks and then work to address them proactively.
With common risk mitigation strategies, you are simultaneously
- Working to reduce your risk profile by lessening the likelihood of an emergency
- Strengthening your response to lessen the impact if an emergency does occur
Risk mitigation vs. risk prevention
Simply put, risk mitigation is the practice of diminishing the impact of an event, while risk prevention focuses on avoiding those events entirely.
There are a lot of similarities between risk mitigation actions and risk prevention since they both work toward the goal of protecting an organization, its people, and its business processes. In fact, they are almost always used in conjunction to create multiple layers of security.
Prevention is a major element of emergency preparedness, but there is no way to prevent all emergencies all the time, so it’s just as important to plan how you will lessen the impact when something does go wrong. That’s where risk mitigation comes into play.
Which Risk Response Is Right for Your Business?
A critical aspect of good risk mitigation and overall risk management is understanding what kinds of risks your business faces. Before you dive into building out a plan, first you need to perform risk identification and prioritization through a threat assessment.
This risk assessment is a vital tool for businesses to navigate the complex landscape of potential threats. By identifying and prioritizing operational risks that are relevant to your business, you can allocate mitigation resources more effectively, focusing on the most critical areas.
Lukas Quanstrom, CEO & Co-Founder of Ontic, shared with us how he better understands business threats on The Employee Safety Podcast. “Once a potential threat has been identified, the next step is really to research the threat and apply data from sources like public records, social media, and the dark net so that you can learn as much as possible about the identified threat. Next, you should assess the threat to determine the severity and the risk it poses to your organization by leveraging professional threat assessment methodologies.”
With a better grasp of your risk level from your threat assessment, you can make more informed decisions about your risk mitigation strategies and responses.
An example of risk mitigation
Let’s look at an example of a risk that should be mitigated: fire.
Fires pose a huge risk to people and property for businesses of all kinds, from corporate offices to restaurants, hotels, and even warehouses. More than 100,000 commercial fires occur every year, with damage costs reaching up to $2.4 billion annually, plus nearly 100 deaths and more than 1,000 injuries. This is a risk with a clear and present danger, and every business should have some sort of mitigation strategy in place. That strategy should address both prevention to reduce the likelihood of a fire occurring in the first place and fire response to ensure a safe evacuation if a fire emergency does occur.
The Four Risk Responses
Here are the four different types of risk responses you’ll use to address risks and how they can help your organization manage threats. To demonstrate these responses, we’ve written out how these business risk mitigation examples could be used for a fire threat.
The first mitigation strategy is risk avoidance—or prevention. The goal with the avoidance strategy is straightforward. Put in place as many policies, trainings, and procedures as necessary to avoid an emergency altogether.
For our example of fire, this could include not allowing open flames in an office or hotel or not allowing restaurant employees to leave cooking food unattended. Not allowing smoking on-site or creating safe smoking areas is another common fire prevention practice for many businesses.
But sometimes, avoidance is not possible for one reason or another. Maybe you’ve done all you can do to prevent a workplace fire, but a lightning storm or electrical short occurs that is out of your control. These are circumstances where you can practice risk acceptance. You still need to have strategies ready ahead of time to make sure this emergency doesn’t destroy your business or harm your employees. That’s where the other strategies come into play.
Next is risk control. Control actions limit the impact of an emergency by narrowing the number of ways an emergency could affect your business. You may not be able to stop a crisis altogether, but you can do things to control how bad it gets.
Controlling the impact of a fire might involve building with fire-resistant materials or keeping fire extinguishers in open areas to control the spread. It might also entail training employees on how to stop different types of fires (chemical, oil, etc.) or running fire drills to facilitate a safe and orderly exit. Practicing fire evacuation plans means employees feel more prepared if the need arises. Communication is also a key part of the control strategy. If there is an emergency like a fire, being able to communicate quickly about an evacuation will control for any injuries or loss of life.
However, there are always going to be factors that you cannot control yourself, so you transfer those risk factors to another entity.
The next strategy is risk transfer. Transferring risk is not simply expecting someone else to take care of things in case of an emergency. Instead, a transferred risk is one you entrust to a different party—whether by necessity or design—so your business is not entirely responsible for all risk factors.
For a fire, this might mean contracting with a fire safety equipment company to ensure all your smoke detectors and fire extinguishers are in working order. It might also mean working with information security teams to ensure critical documents are regularly backed up to the cloud, transferring the risk of loss to the data storage company. By transferring the risk, you are saying you have done all you can do yourself, and you are trusting someone else to take care of what you can’t control.
The last risk management strategy is risk reduction—lowering the impact by reducing how bad any potential fallout is. This can be done using many of the same techniques as the other mitigation strategies.
For a fire, you can reduce adverse effects with actions such as putting important documents in a fire-proof safe or having first aid kits with burn treatment supplies on-site. Having fire sprinklers and proper defensible space can ensure fires don’t spread, and basic first aid training for employees can help keep your people safe. Taken together, these tactics reduce the impact of an emergency when you can’t prevent it outright.
How to Build a Risk Mitigation Plan
Now that you know the basics of mitigating risk, it’s time to build out a plan. Having a documented mitigation plan ensures you know exactly what to do before and during an emergency to avoid, control, transfer, and reduce that risk.
You can build a brand-new plan solely dedicated to effective risk mitigation, or you can add your planned mitigation strategies to another emergency management or business continuity plan. No matter where you keep your plan, simply follow these steps, and you will be ready to mitigate any risk you face.
- Gather stakeholders: Make sure all business leaders and those who might be involved in the risk mitigation process, or at least the major decision-makers, are involved in the planning process.
- Run a risk assessment: Use your threat intelligence software or your own research to determine what possible risk events your business faces so you can plan for them. This is a great time to use a risk matrix to map out what is a top priority. Remember to account for different kinds of threats in your risk analysis, from supply chain to cybersecurity to financial risks.
- Determine prevention measures: Once you have your list of identified risks, document the mitigation actions you can take now that will help prevent and avoid those emergencies. Make sure to do this for each potential emergency you identified in your threat assessment. This is a great time to reference your risk matrix so that you can prioritize the most significant threats.
- Create an action plan: Next, document all of the steps you will take for the other three risk mitigation strategies—control, transfer, and reduce. Plan what you will do before the emergency so you don’t need to spend time wondering if you’re doing the right thing while it happens.
- Run drills: Once you have your plan documented, run drills for the different actions or responses so you and your employees can rely on muscle memory. Drills will also help expose any gaps in your plan so you can fill them. You may need to adjust your plan after a drill, so using a documentation tool like an after-action report is helpful.
- Monitor risks: Continuously monitor all potential risks so you know when to act. If you don’t know a threat is imminent, you won’t be able to respond quickly enough. Use a risk monitoring system if you want to integrate automation or manually track ongoing and new risks, so you are ready to perform the necessary mitigation activities.
- Communicate openly and consistently: Staying in touch with all of your team members and stakeholders will help keep everyone informed about any potential threats and ensure all mitigation efforts are being implemented. Additionally, communication is one of your best tools during a crisis to keep people safe and mitigate harm. A reliable emergency communication system can help you communicate quickly and easily.
3 Tools for Risk Mitigation
Risk mitigation can be a bit complicated, especially when you are trying to prepare for the wide range of business risks you might face. We’ve been using workplace fires as an example, but your business may need to mitigate many more risks, including natural disasters, systems outages, disease outbreaks, and workplace violence.
Trying to plan for and implement these strategies for so many different risks is easier with good tools at hand. Here are a few you should lean on to make your risk mitigation efforts more effective.
Threat intelligence software
It’s impossible to mitigate a risk if you don’t know your business is vulnerable to it. So, performing a risk assessment for your business is critical. Finding a reliable threat intelligence system can make this much easier by removing a lot of the guesswork, particularly if it has a threat history feature to show what threats your area has faced in the past. Make sure to track and document all possible threats so you are prepared to make the most informed decisions when preparing to mitigate your organization’s risks.
Once you have your risks documented, you can use a risk matrix to map out how likely each risk is and the potential impact of the risk on your business operations. For example, a fire in an office might be low-risk, but it could have a moderate-to-high impact if it occurs, whereas a fire in a restaurant has a high risk, with a moderate-to-high impact. Knowing the probability and potential impact helps you prioritize what to plan for. Common risks with high probability and high impact should be the first on your list when you are building out risk mitigation plans, and they will likely require the most preparation.
After running drills for your plan, document the experience and create a process to improve on aspects of your plan that failed or did not play out as expected. With an after-action report template, it is easy to go through what went well, what went wrong, and what you need to do to make the plan better. Complete the same process following actual incidents and emergencies to improve your preparedness at every opportunity.
Addressing a Disaster Before It Starts
Without a risk mitigation plan, you will always be playing catch up. By prioritizing risk mitigation in your business, you will lower the number of emergencies your business faces and reduce any major impact on your business if those emergencies do occur. All it takes is a bit of planning and some preventative action, and you can stop a catastrophic disaster or temper it before it even starts.