What Is Risk Mitigation? Take Action in 7 Steps
The best kind of emergency is one that never happens, but with a good risk mitigation plan, you can lower the impact of events you can’t prevent. In this article, learn the benefits of prioritizing risk mitigation and how to build your own plan.
Emergencies come in many different shapes and sizes, but the thread you need to follow in each case is the potential for harm to your people and damage to your operations. Some of these emergencies are simply unavoidable. But the more you can anticipate and prepare for, the better your chances of organizational safety, security, and resilience.
When Gulf Coast Regional Blood Center’s operations in Houston were severely threatened by Hurricane Harvey, failure wasn’t an option; Gulf Coast residents were in dire need of blood due to the large number of injuries sustained in the hurricane. In short: they didn’t have time to scale back and regroup after the hurricane—they had to adapt right away. So they used their AlertMedia mass notification system to create ad-hoc procedures to keep blood circulating in the middle of one of the worst storms the U.S. has ever seen. This is the essence of risk mitigation.
And it doesn’t have to involve a huge overhaul of your operations. As Steve Richard, SVP of Enterprise Risk Management for Becton Dickinson, puts it, “We focus on avoiding bad things, but also on enabling the businesses to operate without disruption. We partner with our executives to make sure what we ask of them is less intrusive and as efficient as possible. We want the benefits of a sound ERM program with as little burden as possible.”
Every business faces risks—weather and natural disasters, occupational hazards, cybersecurity and system outages, or workplace violence—and there is no way to fully avoid every risk possible. But with a good risk mitigation plan in place, you can prevent a crisis event from having a massive impact on your business, getting as close as you can to stopping an emergency before it starts.
What Is Risk Mitigation?
Risk mitigation is the process of planning and preparing for a potential threat or emergency in order to lessen the risk and/or impact.
You can mitigate risk for all kinds of emergencies in a variety of ways. For example, to mitigate the risk of workplace violence, you can
- Run active shooter drills
- Perform target hardening on your building to eliminate vulnerabilities
- Train your employees in tactics like run, hide, fight
For a natural disaster like a hurricane, you can mitigate risk by
- Creating an evacuation plan
- Understanding hurricane categories
- Monitoring for storms to detect them early
- Securing your facilities
- Communicating with employees throughout the event
The risks you face will vary depending on your location and industry—and if your business has multiple locations, there will be different risks to each site. But the point of risk mitigation is to properly identify your specific risks, and your vulnerabilities to those risks, and then work to proactively address them.
With mitigation, you are simultaneously working to reduce your risk profile by lessening the likelihood of an emergency while also strengthening your response to lessen the impact if an emergency does occur.
Risk mitigation vs. risk prevention
Simply put, risk mitigation is the practice of diminishing the impact of an event, while risk prevention focuses on avoiding those events entirely.
There are a lot of similarities between risk mitigation and risk prevention since they both work toward the goal of protecting an organization, its people, and its business processes. In fact, they are almost always used in conjunction to create multiple layers of security.
Prevention is a major element of emergency preparedness, but there is no way to prevent all emergencies all the time, so it’s just as important to plan how you will lessen the impact when something does go wrong. That’s where risk mitigation comes into play.
Why Prioritize Risk Mitigation?
Proper risk mitigation, like other emergency preparedness techniques, can go a long way to making your business safer. There is often a major focus on creating emergency response and disaster recovery plans, but while these kinds of risk management plans are hugely helpful, prioritizing risk mitigation can ensure you won’t need to use your response plans as often. By putting time and resources into preventing and limiting the impact of an emergency, you will spend far less in any sort of response or recovery. And this goes for all sorts of disasters.
Additionally, many general mitigation tactics, like maintaining safe working conditions and training employees in safety procedures, can promote a general culture of safety at your organization. When your employees learn that your business is focused on safety at all levels, they will be more likely to participate in safe actions themselves. This means your business is more resilient to all sorts of safety and security emergencies, even ones without dedicated emergency plans. A safety culture will save you time, money, and effort in the long term.
An example of risk mitigation
Let’s look at an example of a risk that should be mitigated: fire.
Fires pose a huge risk to people and property for businesses of all kinds, from corporate offices to restaurants, hotels, and even warehouses. More than 100,000 commercial fires occur every year, with damage costs reaching up to $2.4 billion annually, plus nearly 100 deaths and more than 1,000 injuries. This is a risk with a clear and present danger, and every business should have some sort of mitigation strategy in place.
But what does that look like? Let’s walk through the different types of risk mitigation strategies and how they could be used for the threat of fire.
The 4 Risk Mitigation Strategies
The first mitigation strategy is risk avoidance—or prevention. The goal with the “avoid” strategy is straightforward. Put in place as many policies, trainings, and procedures as necessary to avoid an emergency altogether.
For our example of fire, this could include not allowing open flames in an office or hotel or not allowing restaurant employees to leave cooking food unattended. Not allowing smoking on-site or creating safe smoking areas is another common fire prevention practice for many businesses.
But sometimes, avoidance is not possible for one reason or another. Maybe you’ve done all you can do to prevent a workplace fire, but a lightning storm or electrical short out of your control occurs. These are circumstances where you can practice risk acceptance. You still need to have strategies ready ahead of time to make sure this emergency doesn’t destroy your business or harm your employees. That’s where the other strategies come into play.
Next is risk control. Control actions limit the impact of an emergency by narrowing the number of ways an emergency could affect your business. You may not be able to stop a crisis altogether, but you can do things to control how bad it gets.
Controlling the impact of a fire might involve building with fire-resistant materials or keeping fire extinguishers in open areas to control the spread. It might also entail training employees on how to stop different types of fires (chemical, oil, etc.) or running fire drills to control for panic—practicing fire evacuation plans means employees feel more prepared if the need arises. Communication is also a key part of the control strategy. If there is an emergency like a fire, being able to communicate quickly about an evacuation will control for any injuries or loss of life.
However, there are always going to be factors that you cannot control yourself, so you transfer those risk factors to another entity.
The next strategy is risk transfer. Transferring risk is not simply expecting someone else to take care of things in case of an emergency. Instead, a transferred risk is one that you entrust to a different party—whether by necessity or design—so your business is not entirely responsible for all risk factors.
For a fire, this might mean contracting with a fire safety equipment company to ensure all your smoke detectors and fire extinguishers are in working order. It might also mean working with information security teams to ensure critical documents are regularly backed up to the cloud, transferring the risk of loss to the data storage company. By transferring the risk, you are saying you have done all you can do yourself, and you are trusting someone else to take care of what you can’t control.
The last risk management strategy is risk reduction—lowering the impact by reducing how bad any potential fallout is. This can be done using many of the same techniques as the other mitigation strategies.
For a fire, you can reduce adverse effects with actions such as putting important documents in a fire-proof safe or having first aid kits with burn treatment supplies on-site. Having fire sprinklers and proper defensible space can ensure fires don’t spread, and basic first aid training for employees can help keep your people safe. Taken together, these tactics reduce the impact of an emergency when you can’t prevent it outright.
How to Build a Risk Mitigation Plan
Now that you know the basics of risk mitigation, it’s time to build out a plan. Having a documented mitigation plan ensures you will know exactly what to do before and during an emergency to avoid, control, transfer, and reduce that risk.
You can build a brand-new plan solely dedicated to risk mitigation, or you can add your planned mitigation strategies to another emergency management or business continuity plan. No matter where you keep your plan, simply follow these steps, and you will be ready to mitigate any risk you face.
- Gather stakeholders: Make sure everyone who might be involved in the risk mitigation process, or at least the major decision-makers, are involved in the planning process.
- Run risk assessment: Use your threat intelligence software or your own research to determine what possible risk events your business faces so you can plan for them. This is a great time to use a risk matrix to map out what is a top priority. Remember to account for different kinds of threats in your risk analysis, from supply chain to cybersecurity to financial risks.
- Determine prevention measures: Once you have your list of identified risks, document the mitigation actions you can take now that will help prevent and avoid those emergencies. Make sure to do this for each potential emergency you identified in your threat assessment. This is a great time to reference your risk matrix, so you can prioritize the most significant threats.
- Create an action plan: Next, document all of the steps you will take for the other three risk mitigation strategies—control, transfer, and reduce. Plan what you will do before the emergency so that you don’t need to spend time wondering if you are doing the right thing while it happens.
- Run drills: Once you have your plan documented, run drills for the different actions or responses so you can rely on muscle memory. Drills will also help expose any gaps in your plan so you can fill them. You may need to adjust your plan after a drill, so using a documentation tool like an after-action report is helpful.
- Monitor risks: Continuously monitor all of your potential risks so you know when to act. If you don’t know a threat is imminent, you won’t be able to respond quickly enough. Use a threat monitoring system or manually track risks, so you are ready to perform the necessary mitigation activities.
- Communicate openly and consistently: Staying in touch with all of your team members and stakeholders will help keep everyone informed about any potential threats and ensure all mitigation efforts are being implemented. Additionally, communication is one of your best tools during a crisis to keep people safe and mitigate harm. A reliable emergency communication system can help you communicate quickly and easily.
3 Tools for Risk Mitigation
Risk mitigation can be a bit complicated, especially when you are trying to prepare for the wide range of risks your business might face. We’ve been using workplace fires as an example, but your business may need to mitigate many more risks, including natural disasters, systems outages, disease outbreaks, and workplace violence.
Trying to plan for and implement these strategies for so many different risks is easier with good tools at hand. Here are a few you should lean on to make your risk mitigation efforts more effective.
Threat intelligence software
It’s impossible to mitigate a risk if you don’t know your business is vulnerable to it. So performing a risk assessment for your business is critical. Finding a reliable threat intelligence system can make this much easier by removing a lot of the guesswork, particularly if it has a threat history feature to show what threats your area has faced in the past. Make sure to track and document all possible threats so you can determine your priorities and build out risk mitigation plans accordingly.
Once you have your risks documented, you can use a risk matrix to map out how likely each risk is and the potential impact of the risk on your business operations. For example, a fire in an office might be low risk, but it could have a moderate-to-high impact if it occurs, whereas a fire in a restaurant has a high risk, with a moderate-to-high impact. Knowing the probability and potential impact helps you prioritize what to plan for. Common risks with high probability and high impact should be the first on your list when you are building out risk mitigation plans, and they will likely require the most preparation.
After running drills for your plan, document the experience and create a process to improve on aspects of your plan that failed or did not play out as expected. With an after-action report template, it is easy to go through what went well, what went wrong, and what should be done to make the plan better. Complete the same process following actual incidents and emergencies to improve your preparedness at every opportunity.
Addressing a Disaster Before It Starts
The best-case scenario for any emergency is to not have one in the first place. But without a mitigation plan, you will always be playing catch up. By prioritizing risk mitigation in your business, you will lower the number of emergencies your business faces and stop them from having a major impact on your business if they do occur. All it takes is a bit of planning and some preventative action, and you can stop a catastrophic disaster or temper it before it even starts.