The Most Important Part of Every Risk Mitigation Plan

The most important part of your organization’s risk mitigation plan can be stated in one word: follow-through. The best mitigation plan in the world will do you no good unless you implement its action items. 

The job of devising a risk mitigation plan can be boiled down to one sentence: Identify and prioritize your risks, develop action items to mitigate them, and systematically implement and track those items over time. 

Unfortunately, many organizations omit that last and most important step. They identify and prioritize their risks and devise steps and actions that would be effective at reducing their exposure, then do the modern equivalent of putting their plan in a drawer and forgetting about it.  

An Ongoing Series on Risk 

Recently in the blog, I’ve written a lot about risk. We’ve published articles on risk mitigation checklists, becoming a risk mitigator, risk mitigation strategies, a sample threat and risk assessment, and making risk management part of your company’s culture.  

And just last week over on the BCMMETRICS blog, MHA Consulting CEO Michael Herrera wrote about ISO 31000, the International Organization for Standardization’s risk management guidelines.  

Collectively the posts amount to an ongoing series about risk, reflecting the topic’s importance in business continuity management. In fact, it’s safe to say that everything we do in business continuity is about mitigating risk. 

Today’s post will address more specifically the risk mitigation plan—and the most important part of such a plan: systematically implementing and following up on the mitigation action items. 

The Risk Mitigation Plan Checklist 

The best way to formulate a risk mitigation plan is as a checklist. Here is a basic version of a risk mitigation plan checklist: 

  Action  Date Completed/Updated 
Gain management support for the risk mitigation effort   
Identify who will be on the risk mitigation team (as team lead, subject matter experts, and technical writers)   
Identify the risks facing the organization (perform a threat and risk assessment)   
Assess the risks, prioritizing them in terms of likelihood of occurrence and impact if they did occur   
Determine mitigation options   
Develop the mitigation plan (use checklists; keep it simple; keep non-actionable items at the end of the plan or in appendices)   
Implement the risk mitigation plan    
Monitor the plan (are action items on track? has the business environment changed? )   
Where appropriate, test the mitigation solutions or steps to ensure they are functional   
10  Continuously review and update the plan   

Which of the steps in the checklist is the most challenging to accomplish? Often, it’s Step 1, gaining management support. (For tips on how to do that, see Michael Herrera’s post “How to Manage Management: 8 Tips to Help You Bring Your Bosses on Board.”) 

Which steps are most organizations reasonably good at? Steps 3, 4, and 5: identifying and prioritizing risks and devising steps to mitigate them. 

Those three steps are important; however, by themselves, they do not enhance the organization’s resilience. 

The Importance of Implementation 

For its risk mitigation efforts to bring any benefit, an organization must also carry out Steps 6 through 10, covering implementation and tracking. Unfortunately, relatively few organizations get that far. 

In a word, most companies fall short in the area we identified in the beginning as the most important: follow-through. 

The difference between realizing you should do something and doing it is similar to the difference between deciding it would be a good idea to wear your seatbelt and actually wearing it. Conceiving the idea is a necessary part of the process of putting it on, but it is far from sufficient. In the event you are unlucky enough to be involved in a collision, simply having had the idea of wearing your seatbelt will do you no good at all. 

What is called for in your risk mitigation initiative is a disciplined, conscientious, and ongoing effort to implement the action items of your mitigation plan. Moreover, it’s not sufficient to consider these items only rarely, as part of an exercise or review. They should be tracked as part of your monthly or weekly program review. 

Consolidating Your Action Items 

One more step is important in terms of integrating your risk management plan into your overall program.  

It is recommended that you keep a consolidated action list of priorities across your entire program, including business continuity, IT disaster recovery, crisis management, and risk mitigation.  

Action items for these areas should be consolidated on to one list and prioritized in a rational manner, based on which would bring the greatest benefit to the organization in terms of reducing exposure and enhancing resilience.  

There are alternate methods of deciding which action items to tackle first. Two popular ones are addressing items first based on who is yelling the loudest or on which was added to the list most recently.  

It might be very human to prioritize your action items on this basis, but it’s not very wise, not if the goal is to achieve the best protection for the company and make the best use of the available resources.  

Finally, judgment must be exercised when prioritizing mitigation plan action items. Sometimes, having three modest gaps concentrated in one business area creates greater total risk for the organization than having one large gap in a different area. In such cases, it might be best to take care of the three modest items before addressing the large one. 

Achieving Success at Risk Mitigation 

Ultimately, a risk mitigation plan amounts to nothing more than a prioritized list of action items, plus a mechanism for ensuring that they are tracked and implemented.  

Many organizations do a good job of identifying and prioritizing risks and coming up with good mitigation actions. Unfortunately, most fall short of the most important part of any risk mitigation plan: following through.  

Being successful at risk mitigation requires implementing actions, tracking them, revisiting them frequently, and rationally managing down the risk in the organization in a sustained, disciplined way over time. 

Further Reading

For more information on risk mitigation planning and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
Post-Incident Analysis Fine-Tuning Your Application RTO