Risk Mitigation

… a core concept used in Implementation and Delivery and Atlas107

Click for free e-book

Concept description

Andrew Graham (reference below, e-book on right) describes six principal means of risk mitigation: accept or tolerate; prevention; reduction; control; transfer; and prepare.

Graham writes:

“Organizations have an array of tools for reducing or managing their risks. Some are risk specific and some are inherent in the way well managed organizations are expected to function. In other words, good management is the first risk mitigation strategy. Even with this array, not all risks can be eliminated in an affordable way. Organizations have to carefully weight just how much time and effort they are prepared to put into risk mitigation.” (p. 104)

Tolerating risk or self-insurance

“Tolerating a risk may recognition that no amount of internal resources will cause it to go away or be effectively managed. It may mean that no insurance is available at a reasonable rate. It may also be a calculation that, even if the impact might be severe (High Risk/Low Probability), the potential for the risk to actually manifest itself is very low. Tolerating risk then becomes a form of self-insurance in which your own organization takes back all the risk. In some cases, prevention or transfer is therefore neither practical nor affordable.

“Regardless of the decision to accept a risk and take no specific remedial action, it is necessary to continue to monitor the risk, as your risk management process has identified it and you have kept it on your chart, scoreboard or reporting system. There is ample experience across companies and governments that High Impact/Low Probability risks can change quickly, demanding a new response.” (p. 106)


“Here the organization has to decide what not to do in the face of the risks. Prevention has several aspects:

  • Ceasing the activity or operation in the face of unacceptable risks
  • Changing procedures, rules or regulations to reduce the likelihood of the risk occurring
  • Boosting internal controls to a high level
  • Use of information and training for both staff and the public about the risk and how to respond
  • Banning risky activities, either internally (smoking in the office), or to the client (no single person visits)
  • Installing safety equipment.” (p. 106-107)

“Risk reduction is a general category for a range of activities that will reduce the potential of occurrence or impact of the risk if it does. This could involve such steps as:

  • Increasing investment in risky infrastructure
  • Replacing dangerous equipment
  • Finding new suppliers or delivery tools that reduce risk
  • Fixing that which is not working effectively
  • Setting in place review and research processes to study the risks and come back with recommendations
  • Establishing special task groups to come back with recommendations
  • Changes in management systems
  • Changes in human resource strategies
  • Continuous review of pre and post control gates against errors and adjustment.” (p. 107)

“Some examples of how controls play a role in risk mitigation have already been offered. The organization should review its financial and operational controls as it sets out its risk plans. Too often, these controls are assumed to be functioning in an invisible and quiet way, when the flow of events that are there to control may have changed dramatically. Similarly, new risks may have arisen that demand new measures. Some of the key control areas are:

  • Financial
  • Operational
  • Budget performance
  • Performance measure in relation to plan
  • Safety issues
  • Security controls: physical, personnel and the public.” (p. 107)

“One can rarely fully transfer a risk to someone else or some other organization. However, it is possible to transfer some of it or the financial uncertainties associated with it. This means causing another party to accept the risk, typically by contract. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. However, you have to remember that what this does is not actually transfer the risk, but rather smooth out the potential impacts.

“In situations where you are using suppliers, contractors or have outsourced an element of the work, you will want to ensure that some elements of risk transfer or risk sharing are built into the contractual relationship. Therefore, you will want to ensure that issues of personal safety, security of data, public accidents or damage and similar risks inherent in the operation of a contract are anticipated and negotiated as part of the risk transfer process. The greatest risk in this instance is that the contracting process failed to address the issue in the first place. In that instance, risk flows back to its original owner. It pays to be clear.

“Risk transfer, to the extent that it can be achieved, can be an effective tool of spreading out risk. However, it will seldom do much for an organization when issues of trust or reputation are involved. In that sense, this mitigation tactic, while valuable, does not absolve the risk owner of a need for watchfulness.” (p. 107-108)


“Risks in the categories of High Impact/Low Probability demand some form of preparatory response. This could involve the preparation of detailed emergency response plans. These should be accompanied by training and readying the organization in the event of such an occurrence.

“In addition, organizations need to have in place business continuity plans in the even of major shut-downs over which they may have limited control. Unlike emergency response planning, business continuity is about restarting the organization, ensuring that vital data and process capacity has adequate back-up to enable this. It is very clear that organizations that lack any plans for generally unlikely but nonetheless serious events, respond poorly to them and recover more slowly. They also face major damage to their reputations and credibility with the public, their clients and customers. Experience has also shown that organizations that fail to prepare for these events face liabilities associated with their governance responsibilities.” (p. 108)

Atlas topic, subject, and course

Managing Risk (core topic) in Implementation and Delivery and Atlas107.


Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.

Page created by: Ian Clark, last modified 21 September 2017.

Image: Andrew Graham (2008), Integrated Risk Management Implementation Guide, free e-book at http://www.andrewbgraham.ca/integrated-risk-management-implementation-an-e-book.html, accessed 21 September 2017.