MHA Consulting Blog | Roadmap to Resiliency

The Ultimate Checklist for Creating a Risk Mitigation Plan

Written by Michael Herrera | Oct 5, 2016 1:45:34 PM
The most important part of your organization’s risk mitigation plan can be stated in one word: follow-through. The best mitigation plan in the world will do you no good unless you implement its action items.
Related on MHA Consulting: So You Want to Be a Risk Mitigator: 5 Tips to Help You Master the Craft 
The job of devising a risk mitigation plan can be boiled down to one sentence: Identify and prioritize your risks, develop action items to mitigate them, and systematically implement and track those items over time. Unfortunately, many organizations omit that last and most important step. They identify and prioritize their risks and devise steps and actions that would be effective at reducing their exposure, then do the modern equivalent of putting their plan in a drawer and forgetting about it.

An Ongoing Series on Risk

Recently in the blog, I’ve written a lot about risk. We’ve published articles on risk mitigation checklists , becoming a risk mitigator , risk mitigation strategies , a sample threat and risk assessment , and making risk management part of your company’s culture . And just last week over on the BCMMETRICS blog , MHA Consulting CEO Michael Herrera wrote about ISO 31000 , the International Organization for Standardization’s risk management guidelines. Collectively the posts amount to an ongoing series about risk, reflecting the topic’s importance in business continuity management.

In fact, it’s safe to say that everything we do in business continuity is about mitigating risk. Today’s post will address more specifically the risk mitigation plan—and the most important part of such a plan: systematically implementing and following up on the mitigation action items.

The Risk Mitigation Plan Checklist

The best way to formulate a risk mitigation plan is as a checklist. Here is a basic version of a risk mitigation plan checklist:
  Action Date Completed
1 Communicate/Gain Management Support  
2 Identify Team Members (lead, subject matter experts, technical writers)  
3 Identify/Update Risks (perform, update, or review the risk assessment)  
4 Assess/Prioritize the Risks  
5 Determine Mitigation Options  
6 Develop the Mitigation Plan (use checklists as appropriate; keep it simple with non-actionable items in appendices or at the end of the plan)  
7 Implement the Plan (review the plan and provide any training with those responsible for executing the plan; include management and individual contributors as well)  
8 Monitor the Plan (Are action items on track? Has the business environment changed? )  
9 Test the Plan (where appropriate, test the mitigation solutions or steps to ensure they are functional)  
10 Review/Update Plan (repeat steps 3-8)  

 

Which of the steps in the checklist is the most challenging to accomplish? Often, it’s Step 1, gaining management support. (For tips on how to do that, see Michael Herrera’s post “How to Manage Management: 8 Tips to Help You Bring Your Bosses on Board.”) Which steps are most organizations reasonably good at? Steps 3, 4, and 5: identifying and prioritizing risks and devising steps to mitigate them. Those three steps are important; however, by themselves, they do not enhance the organization’s resilience.

The Importance of Implementation

For its risk mitigation efforts to bring any benefit, an organization must also carry out Steps 6 through 10, covering implementation and tracking. Unfortunately, relatively few organizations get that far. In a word, most companies fall short in the area we identified in the beginning as the most important: follow-through. The difference between realizing you should do something and doing it is similar to the difference between deciding it would be a good idea to wear your seatbelt and actually wearing it. Conceiving the idea is a necessary part of the process of putting it on, but it is far from sufficient. In the event you are unlucky enough to be involved in a collision, simply having had the idea of wearing your seatbelt will do you no good at all. What is called for in your risk mitigation initiative is a disciplined, conscientious, and ongoing effort to implement the action items of your mitigation plan. Moreover, it’s not sufficient to consider these items only rarely, as part of an exercise or review. They should be tracked as part of your monthly or weekly program review.

Consolidating Your Action Items

One more step is important in terms of integrating your risk management plan into your overall program. It is recommended that you keep a consolidated action list of priorities across your entire program, including business continuity, IT disaster recovery, crisis management, and risk mitigation. Action items for these areas should be consolidated on to one list and prioritized in a rational manner, based on which would bring the greatest benefit to the organization in terms of reducing exposure and enhancing resilience. There are alternate methods of deciding which action items to tackle first. Two popular ones are addressing items first based on who is yelling the loudest or on which was added to the list most recently. It might be very human to prioritize your action items on this basis, but it’s not very wise, not if the goal is to achieve the best protection for the company and make the best use of the available resources. Finally, judgment must be exercised when prioritizing mitigation plan action items.

Sometimes, having three modest gaps concentrated in one business area creates greater total risk for the organization than having one large gap in a different area. In such cases, it might be best to take care of the three modest items before addressing the large one.

Achieving Success at Risk Mitigation

Ultimately, a risk mitigation plan amounts to nothing more than a prioritized list of action items, plus a mechanism for ensuring that they are tracked and implemented. Many organizations do a good job of identifying and prioritizing risks and coming up with good mitigation actions. Unfortunately, most fall short of the most important part of any risk mitigation plan: following through. Being successful at risk mitigation requires implementing actions, tracking them, revisiting them frequently, and rationally managing down the risk in the organization in a sustained, disciplined way over time.

Further Reading

For more information on risk mitigation planning and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: