Risk Mitigation: Stopping an Emergency Before It Starts
The best kind of emergency is one that never happens, but with a good risk mitigation plan, you can lower the impact of emergencies you can’t prevent. In this article, learn the benefits of prioritizing risk mitigation and how to build your own plan.
In the field of workplace safety and emergency management, a lot of terms get thrown around that all seem, at first glance, to mean the same thing. If you’re reading this, you’re probably all too familiar with these concepts: emergency preparedness, risk management, threat assessments, risk assessments, emergency management, crisis management, etc. Depending on your outlook, these either serve as shorthand for the highly strategic, important work that occupies your day, or they sound like imperfect terms that represent burdensome processes and big company bloat.
All of which is to say, if your feelings towards risk mitigation is that it is imprecise, time consuming, and hard to pinpoint—you’re not alone. Maybe you already have a WIP emergency plan, or maybe you are running on the assumption that you can figure things out in the moment if you ever face an emergency. But anyone who has worked in emergency management long enough knows it’s not a matter of if an emergency hits; it’s a matter of when and how bad. And nothing slows down work like a major natural disaster or catastrophic systems outage.
Whether your holdup is about time, money, or effort, you should know that investing in risk mitigation can actually improve the function of your business, not slow it down. A recent Deloitte survey found that higher investment in risk management and mitigation translated to better program performance and higher company growth.
And it doesn’t have to involve a huge overhaul of your operations. As Steve Richard, SVP of Enterprise Risk Management for Becton Dickinson, puts it, “We focus on avoiding bad things, but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM program with as little burden as possible.”
Every business faces risks—weather and natural disasters, occupational hazards, cybersecurity and system outages, or workplace violence—and there is no way to fully avoid every risk possible. But with a good risk mitigation plan in place, you can prevent a crisis event from having a massive impact on your business, getting as close as you can to being able to stop an emergency before it starts.
What Is Risk Mitigation?
Risk mitigation is the process of planning and preparing for a potential threat or emergency in order to lessen the risk and/or impact.
You can mitigate risk for all kinds of emergencies in all kinds of ways. For example, to mitigate the risk of workplace violence, you can run active shooter drills, perform target hardening on your building to eliminate vulnerabilities, or train your employees in tactics like run, hide, fight—and you can even do all three. For a natural disaster like a hurricane, you can mitigate risk by having an evacuation plan, understanding hurricane categories, monitoring for storms to detect them early, securing your facilities, and communicating with employees throughout the event.
The risks you face will vary depending on your location and industry—and if your business has multiple locations, there will be different risks to each site. But the point of risk mitigation is to properly identify your specific risks, and your vulnerabilities to those risks, and then work to proactively address them.
With mitigation, you are simultaneously working to reduce your risk profile by lessening the likelihood of an emergency while also strengthening your response to lessen the impact if an emergency does occur.
Risk mitigation vs. risk prevention
There are a lot of similarities between risk mitigation and risk prevention. In fact, as mentioned above risk prevention is a huge part of mitigation, but there are some mitigation strategies that go beyond just prevention.
Prevention is a major element of emergency preparedness, but there is no way to prevent all emergencies all the time, so it’s just as important to plan how you will lessen the impact when something does go wrong. That’s where risk mitigation comes into play.
Why Prioritize Risk Mitigation?
Proper risk mitigation, like other emergency preparedness techniques, can go a long way to making your business safer. There is often a major focus on creating emergency response and disaster recovery plans, but while these kinds of risk management plans are hugely helpful, prioritizing risk mitigation can ensure that you won’t need to use your response plans as often. By putting time and resources into preventing and limiting the impact of an emergency, you will have to spend far less in any sort of response or recovery. And this goes for all sorts of disasters.
Additionally, many general mitigation tactics, like maintaining proper working conditions and training employees on safety procedures, can promote a general culture of safety at your organization. When your employees learn that your business is focused on safety at all levels, they will be more likely to participate in safe actions themselves. This means that your business is more resilient to all sorts of emergencies, even ones without dedicated plans. A safety culture will save you time, money, and effort in the long term.
Let’s look at another example of a risk that should be mitigated: fire.
Fires pose a huge risk to people and property for businesses of all kinds, from corporate offices to restaurants, hotels, and even warehouses. More than 100,000 commercial fires occur every year, with damage costs reaching up to $2.4 billion annually and injuries reaching well over 1,000. This is a risk with a clear and present danger, and every business should have some sort of mitigation strategy in place. But what does that look like? Let’s walk through the different types of risk mitigation strategies and how they could be used for the threat of fire.
The 4 Risk Mitigation Strategies
Risk mitigation strategy #1: Avoid
The first mitigation strategy is risk avoidance—or prevention. The goal with the “avoid” strategy is straightforward. Put as many policies, trainings, and procedures in place as necessary to avoid an emergency altogether. For our example of fire, this could be many things, like not allowing open flames in an office or hotel or not allowing restaurant employees to leave cooking food unattended. Not allowing smoking on-site or creating safe smoking areas is another common fire prevention practice for many businesses.
But sometimes, avoidance is not possible for one reason or another. Maybe you’ve done all you can do to prevent a workplace fire, but a lightning storm or electrical short out of your control occurs. There are simply some times where you must practice risk acceptance. You still need to have strategies ready ahead of time to make sure that this emergency doesn’t destroy your business or harm your employees. That’s where the other strategies come into play.
Risk mitigation strategy #2: Control
The first strategy under risk acceptance is risk control. Control actions limit the impact of an emergency by narrowing the number of ways an emergency could affect your business. You may not be able to stop a crisis altogether, but you can do things to control how bad it gets. Controlling the impact of a fire might be building with fire-resistant materials or keeping fire extinguishers placed in open areas to control the spread. It might also entail training employees on how to stop different types of fires (chemical, oil, etc.) or running fire drills to control for panic—practicing evacuations means employees feel more prepared if the need arises. Communication is also a key part of the control strategy. If there is an emergency like a fire, being able to communicate quickly about an evacuation will control for any injuries or loss of life.
However, there are always going to be factors that you cannot control yourself, and for those risk factors, you instead transfer that risk to another entity.
Risk mitigation strategy #3: Transfer
The next strategy is risk transfer. Transferring risk is not simply expecting someone else to take care of things in case of an emergency. Instead, a transferred risk is one that you entrust to a different party—whether by necessity or design—so that you and your business are not entirely responsible for all risk factors.
For a fire, this might mean contracting with a fire safety equipment company to ensure that all your smoke detectors and fire extinguishers are in working order. It might also mean working with information security teams to ensure critical documents are regularly backed up to the cloud, transferring the risk of loss to the data storage company. By transferring the risk, you are saying that you have done all you can do yourself, and you are trusting someone else to take care of what you can’t control.
Risk mitigation strategy #4: Reduce
The last risk mitigation strategy is risk reduction—lowering the impact by reducing how bad any potential fallout is. This can be done using many of the same techniques as the other mitigation strategies. For a fire, action items like putting important documents in a fire-proof safe or having first aid kits with burn treatment supplies on-site can reduce adverse effects. Having fire sprinklers and proper defensible space can ensure that fires don’t spread, and training your employees on basic first aid can help keep your people safe. Taken together, these types of tactics reduce the impact of an emergency when you can’t prevent it outright.
3 Tools for Risk Mitigation
Risk mitigation can be a bit complicated, especially when you are trying to prepare for all the different kinds of risks your business might face. We’ve been using workplace fires as an example, but your business may need to mitigate many more risks, like natural disasters, systems outages, disease outbreaks, and workplace violence.
Trying to plan for and implement all of these strategies for so many different risks is much easier with good tools at hand. Here are a few you should lean on when putting risk mitigation efforts into practice at your business.
Threat intelligence software
It’s impossible to mitigate a risk if you don’t know your business is vulnerable to it. So performing a risk assessment for your business is critical. Finding a reliable threat intelligence system can make this much easier by taking a lot of the guesswork out of determining what risks you face, particularly if it has a threat history feature to show what threats your area has faced in the past. Make sure to document the threats so you can build out risk mitigation plans for each one.
Once you have your risks documented, then you can use a risk matrix to map out how likely each risk is and the potential impact of the risk on your business operations. For example, a fire in an office might be low risk, but it could have a moderate to high impact if it occurs, whereas a fire in a restaurant has a high risk, with a moderate to high impact. Knowing the probability and potential impact helps you prioritize what to plan for. Common risks with high probability and high impact should be the first on your list when you are building out risk mitigation plans, and they will likely have the most preparation.
After Action Report
Documentation like an After Action Report is a great way to improve your risk mitigation once you have it in place. After running drills for your plan, simply document what happened and then create a process to improve on aspects of your plan that failed or did not play out as expected. With an After Action Report template, it is easy to go through what went well, what went wrong, and what should be done to make the plan better.
How to Build a Risk Mitigation Plan
Now that you know the basics of risk mitigation, it’s time to build out a plan. Having a documented mitigation plan ensures that you will know exactly what to do before and during an emergency to avoid, control, transfer, and reduce that risk.
You can build out a brand-new plan solely dedicated to risk mitigation, or you can add your planned mitigation strategies to another emergency management or business continuity plan. No matter where you keep your plan, simply follow these steps, and you will be ready to mitigate any risk you face.
- Gather stakeholders: You want to make sure that everyone who might be involved in the risk mitigation process, or at least the major decision-makers, are involved in the planning process.
- Run risk assessment: Use your threat intelligence software or your own research to determine what possible risk events your business faces so you can plan for them. This is a great time to use a risk matrix to map out what is a top priority. Remember to account for different kinds of threats in your risk analysis, from financial risks to supply chain to cybersecurity.
- Determine prevention measures: Once you have your list of identified risks you need to mitigate, you can document the mitigation actions you can take now that will help prevent and avoid those emergencies. Make sure to do this for each potential emergency you found in your risk assessment. This is a great time to reference your risk matrix, so you can prioritize the biggest threats.
- Create an action plan: Next, document all of the steps you will take for the other three risk mitigation strategies—control, transfer, and reduce. Plan what you will do before the emergency so that you don’t need to spend time wondering if you are doing the right thing while it happens.
- Run drills: Once you have your plan documented, run drills for the different actions or responses so you can use muscle memory. Drills will also help expose any gaps in your plan so you can fill them. You may need to adjust your plan after a drill, so using a documentation tool like an After Action Report might be helpful.
- Monitor risks: You want to be continuously monitoring all of your potential risks so that you know when to act. If you don’t know a threat is imminent, you won’t be able to respond quickly enough. So use a threat monitoring system or manually track risks, so you are ready to perform the necessary mitigation activities.
- Communicate openly and consistently: Staying in touch with all of your team members and stakeholders consistently will help keep everyone informed about any potential threats, and ensure that all mitigation efforts are being implemented. Additionally, communication is one of your best tools during a crisis to keep people safe and mitigate harm. A reliable emergency communication system can help you communicate quickly and easily.
Stopping a Disaster Before It Starts
The best-case scenario for any emergency is to not have one in the first place. But without a mitigation plan, you will always be playing catch up. By prioritizing risk mitigation in your business, you will lower the number of emergencies your business faces and stop them from having a major impact on your business if they do occur. All it takes is a bit of planning and some preventative action, and you can stop a catastrophic disaster before it even starts.