Skip to main content

Risk mitigation strategies to increase the value of ERM

Internal Controls
risk mitigation strategies
5 min read
Mike Rost
SVP, Investor Relations & Corporate Development
Published: November 15, 2016
Last Updated: August 4, 2023

Active risk mitigation is a process that begins where most enterprise risk management (ERM) programs currently end—with reporting and analysis of the risk universe. Done correctly, risk mitigation opportunities are proactively identified during reporting and review phases of the enterprise risk management framework.

In addition to formally documenting the potential areas of focus with risk assessments, a critical component to an effective risk mitigation is the development and definition of a directed roadmap to execution. This roadmap acts as a risk mitigation plan to ensure the mitigation efforts have adequate resource allocation, deliverable timelines, and a definition of success.

Risk mitigation strategies should include regular status updates on progress, barriers, dependencies, and adjustments of scope. Upon completion of risk mitigation, an effective ERM program should provide an analysis of the residual risks after the implementation.


During the active process, there are several risk mitigation strategies that can be used to assess risks, as demonstrated in the above image.

  • Accept: Make a deliberate decision to accept the risk and not develop any further plans to control it.

  • Monitor: Review the risk universe for any changes that may influence the impact of the risk.

  • Avoid: Change the risk processes and requirements to eliminate or reduce the risk.

  • Control: Develop further risk mitigation plans to minimize the impact and/or likelihood of the risk.

  • Transfer: Reassign responsibility of the risk to another department or stakeholder in the organization for acceptance.

Many organizations view enterprise risk management simply as a risk identification function—responsible for ongoing monitoring and regular reporting of the organization's identified and prioritized risks. However, organizations that take this narrow viewpoint to risk management are ignoring the value enterprise risk management brings to the table.

As a risk practitioner, you may wonder how risk mitigation activities can be taken on as an additional component of an ERM program? In these cases, the ERM function is probably not viewed as a true expert in the area of enterprise risk management. Likely, the organization has undergone little to no activities directly related to the ongoing mitigation of known enterprise risks.

Defining enterprise risk priorities for the organization doesn’t preclude that anything can and/or will be done to overcome those risks. By simply calling out the existing and future risk considerations for the organization, the ERM function provides no additional palpable value beyond an enterprise risk management framework to measure and assess risk on an ongoing basis.

This is why ERM functions that focus on both identification and prioritization, as well as ongoing efforts to mitigate and overcome obstacles, are viewed as experts and greater contributors to the organization's ongoing risk mitigation strategy.

To change the perception of the ERM function and be viewed as organizational risk experts, consider taking the following steps:

  1. Collaborate with affected risk owners.
    ​​​​​​​Risk owners live the risk in their day-to-day operations. To the extent that anything can be done to mitigate or even eliminate risk, they are likely highly interested in working with you on that effort.
  2. Define the plan, resources, timing, and deliverables.
    Sometimes, it’s as simple as defining where you are expecting to go with risk mitigation efforts. Define the plan, resources, timing, and deliverables that will exhibit value to the organization and aid in the understanding of the level of residual risk.
  3. Understand your risk mitigation approach.
    You don’t have to eliminate 100 percent of all risks. Focus on the efforts that will take minimal time and resources, but will impact a demonstrative remediation of risk. In some instances, it might be prudent to accept risk in its current state. Don’t be afraid to accept risk where it makes strategic sense.
  4. Circle back.
    All of your efforts that focus on risk mitigation have a profound impact on the ongoing assessment and measurement of your risk environment and priorities. Be sure to directly connect and link efforts and output in risk mitigation to the ongoing risk assessment, review, and prioritization process. Not only are you adding significant input, but you are also closing the feedback loop and allowing stakeholders to experience the beneficial impacts that remediation efforts have on the organization’s risk profile and priorities.

Most risk mitigation strategies include multiple moving parts and impacted parties. The more clear and effective the collaboration effort is, the more efficient and concise the mitigation effort is managed. To increase collaboration and efficiency, risk practitioners need to leverage new ERM technology to assist with ongoing mitigation efforts.

In addition to collaborative capabilities, ERM programs should look to utilize an ERM solution that integrates with their overall programs and try to avoid a spot solution geared only toward risk mitigation project management needs. For a more detailed viewpoint on selecting a comprehensive tool for your ERM program, read Harnessing the Power of Technology in ERM.

By taking that initial step to focus on risk mitigation and keeping in mind the four considerations above, you’ll soon begin to transform how your risk framework operates and will immediately enhance the value of ERM to your organization.

About the Author
illustration of mike rost at Workiva
Mike Rost

SVP, Investor Relations & Corporate Development


As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.

With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.

Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.


Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at