So You Want to Be a Risk Mitigator: 5 Tips to Help You Master the Craft - MHA Consulting

Written by Richard Long | Sep 18, 2024 8:14:32 PM

One of the most important roles business continuity professionals have is that of risk mitigator: a person who understands, manages, and educates others at the organization about risk. In today’s post, we’ll share five things you need to know and do if you want to get good at the craft of mitigating risk.

Risk mitigation is the process of understanding the hazards facing an organization and taking steps to bring them to within a level determined to be acceptable in light of the organization’s mission.

It’s not about eliminating all risk completely, but thinking about and managing it in a rational, informed way.

Risk mitigation is by nature a process that is never done. Because your organization and environment inevitably change over time, managing risk is an ongoing activity.

Here are five tips to help you master the craft of mitigating risk:

Understand the risk management process

The process has six steps, and in managing risk, you should perform all of them in order on a continuous loop. The steps are:

Assess your risks
Prioritize your risks
Figure out your organization’s risk profile
Choose your risk strategies
Execute your risk strategies
Measure residual risk.

For a good overview, see our post Rinse and Repeat: Using the Risk Management Process to Manage Uncertainty from earlier this year.

Learn about the risk framework

The risk framework refers to the activities that make up the job of risk mitigator and managing risk at an organization. There are eight components:

Internal control environment
Setting of objectives
Event identification
Risk assessments
Risk response
Control activities
Communication of relevant information
Monitoring

I discussed the risk framework in detail in the post Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask.

Analyze the likely impact on your organization of each of the eight risk areas

The risk areas are:

Human error
Nature
Supply chains
Vendors
Technology
Data security
Facility security
Business processes/management

For more details, see the two posts mentioned above.

Understand your organization’s risk tolerance and risk appetite

These terms refer to how much risk management is prepared to accept in pursuit of its objectives. Risk appetite is a broader statement of the level of risk that management deems acceptable. Risk tolerance refers to the specific level of risk the company will accept as it pursues a specific objective.

Learn the four risk mitigation strategies

The four risk mitigation strategies are:

Avoid the risk by exiting activities that bring it on or implementing protections to eliminate the exposure.
Reduce the risk by taking steps to reduce the likelihood of a negative event occurring, though not removing it completely.
Transfer the risk such as by taking out insurance to help cover it or hiring a third party that will take the risk associated with the action or process.
Accept the risk, acknowledging that if the danger is realized, the organization will have to bear the consequences.

Once you as a risk mitigator have mastered the content described above, it all comes down to executing on what you know and educating your organization across all levels in order to make risk mitigation part of your organization’s culture. The most prepared organizations are those in which risk is addressed in daily activities and not just during a formal risk assessment.

Being a Risk Mitigator

Being a risk mitigator is about understanding the hazards that face your organization and managing them in an informed, rational way. By mastering the concepts set forth above, you will be well on your way to helping your organization stay within a reasonable level of risk while still performing its mission and pursuing attractive opportunities.