Risk mitigation strategies to increase the value of ERM

The risk mitigation process

Active risk mitigation is a process that begins where most enterprise risk management (ERM) programs currently end—with reporting and analysis of the risk universe. Done correctly, risk mitigation opportunities are proactively identified during reporting and review phases of the enterprise risk management framework.

In addition to formally documenting the potential areas of focus with risk assessments, a critical component to an effective risk mitigation is the development and definition of a directed roadmap to execution. This roadmap acts as a risk mitigation plan to ensure the mitigation efforts have adequate resource allocation, deliverable timelines, and a definition of success.

Risk mitigation strategies should include regular status updates on progress, barriers, dependencies, and adjustments of scope. Upon completion of risk mitigation, an effective ERM program should provide an analysis of the residual risks after the implementation.

Risk mitigation strategies

During the active process, there are several risk mitigation strategies that can be used to assess risks, as demonstrated in the above image.

• Accept: Make a deliberate decision to accept the risk and not develop any further plans to control it.

• Monitor: Review the risk universe for any changes that may influence the impact of the risk.

• Avoid: Change the risk processes and requirements to eliminate or reduce the risk.

• Control: Develop further risk mitigation plans to minimize the impact and/or likelihood of the risk.

• Transfer: Reassign responsibility of the risk to another department or stakeholder in the organization for acceptance.

Many organizations view enterprise risk management simply as a risk identification function—responsible for ongoing monitoring and regular reporting of the organization's identified and prioritized risks. However, organizations that take this narrow viewpoint to risk management are ignoring the value enterprise risk management brings to the table.

The perception of ERM and risk management teams

As a risk practitioner, you may wonder how risk mitigation activities can be taken on as an additional component of an ERM program? In these cases, the ERM function is probably not viewed as a true expert in the area of enterprise risk management. Likely, the organization has undergone little to no activities directly related to the ongoing mitigation of known enterprise risks.

Defining enterprise risk priorities for the organization doesn’t preclude that anything can and/or will be done to overcome those risks. By simply calling out the existing and future risk considerations for the organization, the ERM function provides no additional palpable value beyond an enterprise risk management framework to measure and assess risk on an ongoing basis.

This is why ERM functions that focus on both identification and prioritization, as well as ongoing efforts to mitigate and overcome obstacles, are viewed as experts and greater contributors to the organization's ongoing risk mitigation strategy.

Practical considerations for increasing ERM's value

To change the perception of the ERM function and be viewed as organizational risk experts, consider taking the following steps:

1. Collaborate with affected risk owners.
   ​​​​​​​Risk owners live the risk in their day-to-day operations. To the extent that anything can be done to mitigate or even eliminate risk, they are likely highly interested in working with you on that effort.
2. Define the plan, resources, timing, and deliverables.
   Sometimes, it’s as simple as defining where you are expecting to go with risk mitigation efforts. Define the plan, resources, timing, and deliverables that will exhibit value to the organization and aid in the understanding of the level of residual risk.
3. Understand your risk mitigation approach.
   You don’t have to eliminate 100 percent of all risks. Focus on the efforts that will take minimal time and resources, but will impact a demonstrative remediation of risk. In some instances, it might be prudent to accept risk in its current state. Don’t be afraid to accept risk where it makes strategic sense.
4. Circle back.
   All of your efforts that focus on risk mitigation have a profound impact on the ongoing assessment and measurement of your risk environment and priorities. Be sure to directly connect and link efforts and output in risk mitigation to the ongoing risk assessment, review, and prioritization process. Not only are you adding significant input, but you are also closing the feedback loop and allowing stakeholders to experience the beneficial impacts that remediation efforts have on the organization’s risk profile and priorities.

The impact of new technology

Most risk mitigation strategies include multiple moving parts and impacted parties. The more clear and effective the collaboration effort is, the more efficient and concise the mitigation effort is managed. To increase collaboration and efficiency, risk practitioners need to leverage new ERM technology to assist with ongoing mitigation efforts.

In addition to collaborative capabilities, ERM programs should look to utilize an ERM solution that integrates with their overall programs and try to avoid a spot solution geared only toward risk mitigation project management needs. For a more detailed viewpoint on selecting a comprehensive tool for your ERM program, read Harnessing the Power of Technology in ERM.

By taking that initial step to focus on risk mitigation and keeping in mind the four considerations above, you’ll soon begin to transform how your risk framework operates and will immediately enhance the value of ERM to your organization.