Risk Management: Understanding Risk Mitigation
Industry Insights · February 2011
By Lisa Dorian, CA∙CIA
Risk management is all about understanding risks that can impact your organizational objectives, and implementing strategies to mitigate and manage those risks. In this article, we examine the most common mitigation strategies and how they can be used to effectively manage risk. When mitigating or managing risks, here are three steps to consider:
Some risks aren't worth taking in the first place. Is the risk a result of activities within the core business or outside of it? If outside, and the level of risk is deemed relatively high, then consideration should be given to ceasing or avoiding to undertake those activities. If the activities are part of the core business, then consider if there is another way of doing things that will avoid or minimize the risk or loss.
Without risk there is no reward. If the risk is low enough, then accept it as a cost of doing business—acknowledging that little to no action is being taken to mitigate that risk. An entity could establish a contingency fund or build a contingency plan to minimize any loss not previously anticipated from these risks.
Risk transference is the process of transferring any losses incurred to a third party, such as through the use of insurance policies. Another method of transferring risk is to outsource activities to a third party. If there are activities that are not core to
the business, then it might make more sense to transfer these activities to a third party to whose core business they do belong, especially if internal resources are limited. Many back-office functions, such as payroll and purchasing, are outsourced to service providers that specialize in these areas.
A control is a procedure used to either prevent a risk from occurring or detect a risk after it has occurred. If the risk is worth taking and is part of an organization's core operating activities, then controls can be used to mitigate and manage the risk.
Figure 2 shows the range of control activities to consider based on the type of risk.
Figure 3 shows the link of control activities to the risk prioritization map.
Factors to consider
Several factors to consider in deciding which mitigation activities will work best for the organization include:
- Cost-benefit analysis of the mitigation cost versus the anticipated loss;
- Timeline to implement; and
- Resource availability.
In all cases, management responsibility needs to be assigned to each risk in order to ensure that it is managed.
Risk mitigation is all about understanding those risks that can impact the objectives of the organization, and taking the appropriate steps to reduce the risks to an acceptable level.
Lisa Dorian, CA∙CIA, is the president of PowellDorian Services Inc. a Vancouver-based company that specializes in governance, risk, and controls consulting.