Ideal risk management, not to say utopian, seeks to eliminate all risks. We know that this is not possible and that, therefore, risk mitigation is as or more important than management in general.

Risk mitigation arises when we admit that a certain risk cannot be eliminated and that we must live with it, but in conditions in which it cannot cause us the negative impact that was initially predicted.


Risk mitigation is the backbone of risk management. Experience tells us that few risks can actually be eliminated. Thanks to risk mitigation strategies, it is possible to accept and tolerate risks, in a security environment, without limiting the commercial objectives of the organization.

Risk Mitigation – What is it?

Risk mitigation is the process of developing options and actions that, when implemented, will improve opportunities and reduce the negative impact or probability of occurrence of a particular event.

This means that the risk still exists and we remain exposed to it. But in a controlled scenario and under conditions that allow us to reduce exposure and expect a low negative impact.

Of course, in order to understand it and identify the risks that we will submit to mitigation management, we will follow a process. The process begins with the identification of all risks.

Steps to deal with risk

risk identification

The identification of risks is the first step in management, and therefore, it becomes the basis for all the actions that are carried out below. Identifying risks is nothing more than pointing them out and expressing why they have the ability to prevent the achievement of an objective.

Professionals in the area resort to different techniques to identify risks. Brainstorming, evaluation schemes, interviews with employees who have more knowledge, a record of previous experiences…

During the identification phase, no event can be ignored. The goal is to compile a list, for the moment without any criteria, of all the events that can affect the ability to achieve a goal.

The identification can be done for the risks that threaten the organization’s operation in general, but also for each area, for a specific project, or for a particular category of events, such as financial risks or natural disasters, for example.

The identification, of course, is cyclical and must be updated periodically, or when changes occur. The introduction of new products is, for example, an event that requires identifying new risks.

Risk evaluation

With a detailed list of risks, the next step is to assess and categorize them. The factors that determine the importance of a risk are the probability of occurrence and the level of the negative impact it has on the operation or on the objective or objectives evaluated.

Risk management professionals use different risk assessment modelswhich basically assign a numerical value to probability and another to impact, in order to obtain a value that allows the risk to be categorized, separating it from the subjective opinion of employees. Among others, risk management uses models such as “what if”, “the five whys” or “FMEA” to determine the severity of a risk.

Risk assessment not only allows us to assign a numerical severity value, but also allows us to know the root cause, a fundamental element to establish whether the risk can be eliminated or will have to be accepted and, therefore, mitigated.

Risk Mitigation Plan

The risk assessment will basically deliver four risk categories, according to probability and negative impact. These are:

  1. Low impact and low probability of occurrence.
  2. High impact and low probability of occurrence.
  3. High impact and high probability of occurrence.
  4. Low impact and high probability of occurrence.

This classification, added to the knowledge of the root cause, is the key elements to determine the strategy to follow, which can be one of the following :

accept the risk

Usually, for category 1 and 2 risks, this treatment strategy will be adopted, especially when the risk assessment determines that it is more expensive to undertake some action to mitigate or eliminate the risk, than the cost of the occurrence of the event.

This does not mean ignoring it or stopping monitoring it. The risk continues to exist and risk management allows us to identify it, know it and know what can happen.

Avoid or eliminate the risk

For category 3 risks there is probably no alternative but to look for an option to eliminate the risk. The cost may be high, but the benefit justifies it. This may involve changing or eliminating a process, or substituting a raw material or chemical agent used in the production process, for example.

Transfer the risk

Transferring or sharing risk is one way to mitigate it. We find two ways to transfer a risk: outsource a process or take out an insurance policy.

In the IT area, outsourcing data storage or backup copies is a way of transferring the risk of deterioration or of information, which in turn reduces personnel costs and investment in technological equipment. Taking out an insurance policy, which is another way of sharing the risk, will barely offset the financial costs of the occurrence of the event, but it will not resolve issues such as loss of reputation, for example.

Mitigate the risks

For all categories, but especially for numbers 3 and 4, actions to mitigate or reduce the risks will be appropriate. The purpose is to reduce exposure – impact or probability -or take actions to deal with the consequences with the least possible negative impact.

Of course, mitigating actions will not eliminate the risk. Depending on the characteristics of the event, a substantial reduction can be obtained, but it can also be barely perceptible. In one way or another, the risks subject to treatment in this category must be constantly monitored or reviewed.

Risk Manager Diploma

Risk management is an area that has become essential in modern organizations. And it is because today, exposure to information security, quality, environmental management, or occupational safety risks, just to mention some of the most representative, justifies the incorporation of specialized professionals in the area of ​​​​management. risk to organizations of all sizes.

The Risk Manager Diplom is a program of excellence, designed and implemented by the European School of Excellence, to provide organizations in all industries with the professionals they require to operate within a framework of safety and productivity.

This advanced program offers a triple degree from the European School of Excellence, ISOTools, and ERCA. Professionals who take this Diploma can work in all the countries of the European Union and Latin America. You can project your career into the future right now.