What is Risk Mitigation? Definition, Strategies and Planning

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business. Comparable to risk reduction, risk mitigation takes ... Home Disasterrecoveryplanningandmanagement Compliance,riskandgovernance Whatisriskmitigation? TechAccelerator Whatisriskmanagementandwhyisitimportant? Prev Next Topenterpriseriskmanagementcertificationstoconsider Whatisintegratedriskmanagement(IRM)? Downloadthisguide1 Sharethisitemwithyournetwork: By BenLutkevich, TechnicalWriter Riskmitigationisastrategytoprepareforandlessentheeffectsofthreatsfacedbyabusiness.Comparabletoriskreduction,riskmitigationtakesstepstoreducethenegativeeffectsofthreatsanddisastersonbusinesscontinuity(BC).Threatsthatmightputabusinessatriskincludecyberattacks,weathereventsandothercausesofphysicalorvirtualdamage.Riskmitigationisoneelementof riskmanagementanditsimplementationwilldifferbyorganization. Whatisthegoalofriskmitigation? Riskmitigationistheprocessofplanningfordisastersandhavingawaytolessennegativeimpacts. Althoughtheprincipleofriskmitigationistoprepareabusinessforallpotentialrisks,aproperriskmitigationplanwillweightheimpactofeachriskandprioritizeplanningaroundthatimpact.Riskmitigationfocusesontheinevitabilityofsomedisastersandisusedforthosesituationswhereathreatcannotbeavoidedentirely.Ratherthanplanningtoavoidarisk,mitigationdealswiththeaftermathofadisasterandthestepsthatcanbetakenpriortotheeventoccurringtoreduceadverseand,potentially,long-termeffects. Ideally,anorganizationwouldbepreparedforallrisksandthreatsandavoidthementirely.However,havingariskmitigationplancanhelpanorganizationpreparefortheworst,acknowledgingthatsomedegreeofdamagewilloccurandhavingsystemsinplacetoconfrontthat. Adiagramlayingoutthestepsinriskmitigationplandevelopment. What'sinariskmitigationplan? Whencreatingariskmitigationplan,thereareafewstepsthatarefairlystandardformostorganizations.Recognizingrecurringrisks,prioritizingriskmitigationandmonitoringtheestablishedplanarevitalaspectstomaintainingathoroughriskmitigationstrategy. Thisarticleispartof Whatisriskmanagementandwhyisitimportant? Whichalsoincludes: governance,riskmanagementandcompliance(GRC) riskavoidance riskmap(riskheatmap) Download1 DownloadthisentireguideforFREEnow! Therearefivegeneralstepsinthedesignprocessofariskmitigationplan: Identifyallpossibleeventsinwhichriskispresented.Ariskmitigationstrategytakesintoaccountnotonlytheprioritiesandprotectionofmission-criticaldataofeachorganization,butanyrisksthatmightariseduetothenatureofthefieldorgeographiclocation.Ariskmitigationstrategymustalsofactorinanorganization'semployeesandtheirneeds. Performariskassessment,whichinvolvesquantifyingthelevelofriskintheeventsidentified.Riskassessmentsinvolvemeasures,processesandcontrolstoreducetheimpactofrisk. Prioritizerisks,whichinvolvesrankingquantifiedriskintermsofseverity.Oneaspectofriskmitigationis prioritization --acceptinganamountofriskinonepartoftheorganizationtobetterprotectanother.Byestablishinganacceptablelevelofriskfordifferentareas,anorganizationcanbetterpreparetheresourcesneededforBC,whileputtingfewermission-criticalbusinessfunctionsonthebackburner. Trackrisks,whichinvolvesmonitoringrisksastheychangeinseverityorrelevancetotheorganization.It'simportanttohavestrongmetricsfortrackingriskasitevolves,andfortrackingtheplan'sabilitytomeetcompliancerequirements. Implementandmonitorprogress,whichinvolvesreevaluatingtheplan'seffectivenessinidentifyingriskandimprovingasneeded.In businesscontinuityplanning,testingaplanisvital.Riskmitigationisnodifferent.Onceaplanisinplace,regulartestingandanalysisshouldoccurtomakesuretheplanisuptodateandfunctioningwell.Risksfacingdatacentersareconstantlyevolving,soriskmitigationplansshouldreflectanychangesinriskorshiftingpriorities. Typesofriskmitigationstrategies Thereareseveraltypesofriskmitigationstrategies.Often,thesestrategiesareusedincombinationwitheachother,andonemaybepreferableoveranother,dependingonthecompany'srisklandscape.Theyareallpartofthebroaderpracticeofriskmanagement. Riskavoidanceisusedwhentheconsequencesaredeemedtoohightojustifythecostofmitigatingtheproblem.Forexample,anorganizationcanchoosenottoundertakecertainbusinessactivitiesorpracticestoavoidanyexposuretothethreattheymightpose.Riskavoidanceisacommonbusinessstrategyandcanrangefromsomethingassimpleaslimitinginvestmentstosomethingassevereasnotbuildingofficesinpotentialwarzones. Riskacceptanceisacceptingariskforagivenperiodoftimetoprioritizemitigationeffortonotherrisks. Risktransferallocatesrisksbetweendifferentparties,consistentwiththeircapacitytoprotectagainstormitigatetherisk.Oneexampleofthiswouldbeadefectiveproductbuiltwithsomeamountofthird-partymaterial.Theproduceroftheproductmaytransferresponsibilityforacertainfractionoftheriskbecauseofthis. Riskmonitoringistheactofwatchingprojectsandtheassociatedrisksforchangesintheimpactoftheassociatedrisks. Riskcanaffectanycombinationofperformance,costandscheduling;therefore,differentstrategiesshouldbeusedtoaddressrisksbasedonthewaytheyaffectthesefactors.Forexample,itmightbemoreimportantforacompanytoperformwellthanforittosavemoneyinacertainprojectscenario.Thecompanywouldlikelyemployariskacceptancestrategy,temporarilyprioritizingrisksthataffectperformancemoreheavilythancost. Adiagramshowinghowquantitativeriskassessmentcanbeusedtoevaluatethelikelihoodandimpactofriskevents. Riskmitigationbestpractices Belowaresomeriskmitigationbestpracticesthatinformationsecurityprofessionalsshouldfollow: Makesurestakeholdersareinvolvedateachstep.Stakeholdersmaybeemployees,managers,unions,shareholdersorclients.Allperspectivesareimportantfordevelopingacomprehensive,holisticriskmitigationstrategy. Createastrongculturearoundriskmanagement.Thismeanscommunicatingthevalues,attitudesandbeliefssurroundingriskandcompliancefromthetopdown.It'simportantforeveryemployeetohaveriskawareness,buttheprobabilityofastrongcultureisgreatlyimprovedwhenmanagementsetsthetone. Communicaterisksastheyarise.Riskawarenessmustbestrongthroughouttheentireorganization,sofacilitatingcommunicationofnew,high-impactrisksisimportanttokeepeveryoneuptospeed. Ensureriskmanagementpolicyisclearsoemployeesareabletofollowit.Rolesandresponsibilitiesshouldbeclearlydefined,andeachdefinedriskneedsaclearprocessfordealingwithit. Continuouslymonitorpossiblerisks.Riskmonitoringpracticesshouldalsobeclearlydefinedandimplementedtocontinuouslyimprovetheriskmitigationplan. Riskmitigationtools Onecommonlyusedriskmitigationtoolisariskassessmentframework(RAF).AnRAFprovidesanorganizationwithanoutlineofwhichsystemsareathighorlowriskandpresentsinformationforbothtechnicalandnontechnicalpersonnel.AnRAFcanbeusedasariskmitigationtoolbypresentingconsistentriskassessmentandreportingmethods. CommonRAFsincludetheRiskManagementGuideforInformationTechnologySystemsfromtheNationalInstituteofStandardsandTechnology(NIST);theOperationallyCriticalThreat,Asset,andVulnerabilityEvaluation(OCTAVE)fromCarnegieMellonUniversity;andControlObjectivesforInformationandRelatedTechnology(COBIT)fromtheInformationSystemsAuditandControlAssociation(ISACA).TheMitrewebsitealsoofferscomprehensiveguidelinesforriskmitigation. Someothercommonlyusedriskmitigationtoolsare: Aprobabilityandimpactmatrix. ASWOT(strengths,weaknesses,opportunities,threats)analysis. Arootcauseanalysis. Alongwithhavingakeenunderstandingofinternalneedsandresources,externalspecialistscanalsobeabeneficialpartofariskmitigationplan.SeveralBCanddisasterrecovery(DR)vendorsfocusonriskmitigation,andevensmallerorganizationscantakeadvantageofDRasaservice(DRaaS)vendorstokeepcostsrelativelylow. ThiswaslastupdatedinOctober2021 ContinueReadingAboutWhatisriskmitigation? Riskmanagementprocess:Whatarethe5steps? Implementinganenterpriseriskmanagementframework 9commonriskmanagementfailuresandhowtoavoidthem ISO31000vs.COSO:Comparingriskmanagementstandards Howtoperformacybersecurityriskassessment,stepbystep RelatedTerms changecontrol Changecontrolisasystematicapproachtomanagingallchangesmadetoaproductorsystem. See complete definition disasterrecovery(DR) Disasterrecovery(DR)isanorganization'sabilitytorespondtoandrecoverfromaneventthataffectsbusinessoperations. See complete definition fault-tolerant Fault-toleranttechnologyisacapabilityofacomputersystem,electronicsystemornetworktodeliveruninterruptedservice,... See complete definition DigDeeperonDisasterrecoveryplanningandmanagement 3benefitsofsustainablecybersecurityintheenterprise By:Diana Kelley riskassessmentframework(RAF) By:Andrew Zola Managingsupplychainriskrequiresnewpriorities,tools By:Diann Daniel riskassessment By:Ben Cole SponsoredNews DeployingaCyber-ResilientFrameworktoReduceRiskandEnableDigital... –HPE ReduceRiskinMovingWorkloadstotheCloud –DellTechnologies SeeMore VendorResources GapsInAttackSurfaceMonitoringAndSecurityTestingForCyber-RiskMitigation –Cycognito HOWTOBUILDARISKMANAGEMENTPLAN –ReciprocityLabs LatestTechTargetresources DataBackup Storage ConvergedInfrastructure SearchDataBackup Veeambackuprepositorybestpracticesforoptimalprotection JustafewsimplestepscanenhanceperformanceprotectionintheVeeambackuprepository.Usethesebestpracticestomaximize... ForSalesforcebackupoptions,lookbeyondnativecapabilities Salesforcedealswithcriticaldata,sodataprotectionisamajorconsideration.Findoutwhyusersmaywanttolookoutsidethe... Trellobackupbestpractices SaaSapplicationslikeTrellohavegainedtractioninrecentyears.Protectmission-criticaldataonTrelloboardswiththese... SearchStorage KioxiareleasesPCIeGen5SSDfordatacenters Kioxia'sCD8,itssecond-generationPCIeGen5SSDs,providesincreasedperformanceanda2.5inchformfactorthatmakeitmuch... AprimerontheNVMemanagementecosystem TheNVMemanagementecosystemhasalotofmovingpartsandconfusingacronyms.Thisoverviewdetailsthevariousspecifications... OpenDriveskeytoremoteeditingofDaveGrohldocumentary JimRotaandDeanGonzalezlackedhigh-performancestorageneededtomakeandedittheirnewmusicdocumentary,sotheyturnedto... SearchConvergedInfrastructure FlexPodXCSbringscloudcapabilitiestodatacenters FlexPodXCS,thelatestNetAppandCiscoconvergedinfrastructureappliance,expandssupportforhybridcloudenvironmentswith... Nutanixrevenueincreases,drivenbyhybridcloudadoption Benefitingfromthegrowinguseradoptionofhybridcloudsandasignificantincreaseindigitaltransformationprojects,Nutanix... Thetophyper-convergedsystemsandcomposableinfrastructureof2021 TheseProductsoftheYearwinnersoffertheflexibilityandscalabilitythatmakehyper-convergedsystemsanexcellentchoice... Close