risk mitigation [English]

Other Languages

Syndetic Relationships

InterPARES Definition

n. ~ A process to implement controls and countermeasures to reduce the consequences of risk.


  • CNSS-4009 (†730 p.62): Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. (†1748)
  • Dorian 2011 (†489 ): Risk management is all about understanding risks that can impact your organizational objectives, and implementing strategies to mitigate and manage those risks. . . . When mitigating or managing risks, here are three steps to consider: · What is the organization's appetite and tolerance for risk? Set the level of risk the board and management is willing to take. · Prioritize, or rank, each risk for significance and likelihood. By ranking risk, management is better able to determine the strategy that will be most effective. · Determine appropriate risk mitigation strategies. The four most common mitigation strategies are avoidance, acceptance, transference, and control. (†743)
  • Dorian 2011 (†489 ): Risk mitigation strategies ¶ Avoidance Some risks aren't worth taking in the first place. Is the risk a result of activities within the core business or outside of it? If outside, and the level of risk is deemed relatively high, then consideration should be given to ceasing or avoiding to undertake those activities. If the activities are part of the core business, then consider if there is another way of doing things that will avoid or minimize the risk or loss. ¶ Acceptance Without risk there is no reward. If the risk is low enough, then accept it as a cost of doing business–acknowledging that little to no action is being taken to mitigate that risk. An entity could establish a contingency fund or build a contingency plan to minimize any loss not previously anticipated from these risks. ¶ Transference Risk transference is the process of transferring any losses incurred to a third party, such as through the use of insurance policies. Another method of transferring risk is to outsource activities to a third party. If there are activities that are not core to the business, then it might make more sense to transfer these activities to a third party to whose core business they do belong, especially if internal resources are limited. Many back-office functions, such as payroll and purchasing, are outsourced to service providers that specialize in these areas. ¶ Control A control is a procedure used to either prevent a risk from occurring or detect a risk after it has occurred. If the risk is worth taking and is part of an organization's core operating activities, then controls can be used to mitigate and manage the risk. (†744)
  • ISACA Glossary (†743 s.v. risk mitigation): The management of risk through the use of countermeasures and controls. (†1802)
  • NIST 2013 (†734 p. B-19): Prioritizing, evaluating, and implementing the appropriate riskreducing controls/countermeasures recommended from the risk management process. [CNSSI 4009] (†1815)
  • NIST Managing Information Security Risk 2011 (†484 p. 42): Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. The alternatives to mitigate risk depend on: (i) the risk management tier and the scope of risk response decisions assigned or delegated to organizational officials at that tier (defined by the organizational governance structures); and (ii) the organizational risk management strategy and associated risk response strategies. The means used by organizations to mitigate risk can involve a combination of risk response measures across the three tiers (†739)
  • Owner's Role 2005 (†487 p. 41): The ultimate purpose of risk identification and analysis is to prepare for risk mitigation. Mitigation includes reduction of the likelihood that a risk event will occur and/or reduction of the effect of a risk event if it does occur. (†741)
  • Risk Assessment 2006 (†488 §5.1 (http://international.fhwa.dot.gov/): The objectives of risk mitigation and planning are to explore risk response strategies for the high risk items identified in the qualitative and quantitative risk analysis. The process identifies and assigns parties to take responsibility for each risk response. It ensures that each risk requiring a response has an owner. The owner of the risk could be an agency planner, engineer, or construction manager, depending on the point in project development, or it could be a private sector contractor or partner, depending on the contracting method and risk allocation. ¶ Risk mitigation and planning efforts may require that agencies set policies, procedures, goals, and responsibility standards. Formalizing risk mitigation and planning throughout a highway agency will help establish a risk culture that should result in better cost management from planning through construction and better allocation of project risks that align teams with customer-oriented performance goals. (†742)