Ask any business leader whether they’d like their organization to be proactive or reactive, and you’ll probably hear “Proactive, of course!” ten times out of ten. But then, if you ask them about emergency preparedness, they might say they have no choice but to be reactive. That is not entirely true.
Risk mitigation strategies can help your organization reduce the chaos and uncertainty of emergencies, natural disasters, and other common business risks. Many businesses struggle to understand where to start with risk mitigation. You shouldn’t overcomplicate it.
One of the core principles of risk mitigation is to make situations and decisions as straightforward as possible. That applies to your risk mitigation planning as well.
This article lays out the different types of risks your organization should consider. It then offers 10 risk assessment & mitigation strategies and best practices proven to work.
Your risk mitigation strategies are the processes and policies you put in place to reduce any risk level to your business. Usually, you will develop a plan to eliminate risk where possible, reduce it when not, and manage the different fallouts from that risk.
In their most recent report from 2019, the Enterprise Risk Management Initiative at NC State University found that 59 percent of all organizations surveyed felt the number of risks they faced was increasing. If businesses cannot control their risks, they can expect to see more incidents that negatively impact their operations and their bottom line. In addition, businesses that don’t properly manage their risk also become less attractive to customers and potential business partners.
Before diving into risk mitigation planning, you first need to understand the different types of risks you need to plan for. Much of the online risk mitigation literature focuses on cybersecurity and financial security. Those are both incredibly important topics, but businesses need to think more broadly about all types of risks, including their physical security.
You need to think about three high-level categories of risk: strategic risks, external risks, and internal risks.
You may actually want to accept some risks because the potential return will have great value for your company. That is often the case with an investment, a strategic push to launch a new product or bring a product to a new, untested market.
Failure may cost your company, but the risk is worth it when there is a good chance you’ll succeed. Because of that, risk mitigation for strategic risks usually involves evaluating larger business decisions to maximize the potential returns on higher-risk, higher-reward activities.
These risks arise outside of your control. You and your organization do not influence them—for example, natural disasters, social conflict, pandemics, or global economic shifts. Since you can’t prevent external risks, your focus should be on identifying when they’re imminent and managing them as they unfold.
Internal risks come from within your organization, and by definition, you have some degree of control over them. Examples of internal risk could include human errors, property theft, employee fraud, or breakdowns in operating procedures. Unlike strategic risks, there is usually no longer-term business benefit to allowing these risks to occur unaddressed. Therefore, companies should focus on eliminating internal risks as much as possible. Often, that requires special monitoring and management tools.
Once you understand how to categorize risks, you can plan mitigation strategies. The general principles behind risk mitigation planning are well-established and readily available online. Instead, here we’ll focus on 10 concrete strategies and best practices any organization can adapt for its needs.
If asked to list their key assets, most managers could rattle most of them off the top of their heads. But a good risk mitigation strategy requires you to document all of them. So identify each physical and informational asset your business values, where they’re located, and the responsible team or department.
“Value” in this context means the asset whose absence would have a meaningful impact on the company, such as financial damage, operational problems, or reputational damage. Once you have a complete list of assets, prioritize them based on their overall value to the organization.
Now identify the threats the assets you’ve identified might face. For example, do you have expensive handheld electronics that might be the target of theft? Is your facility located in a flood zone? Does one of your departments see high turnover with many disgruntled employees?
Just as you prioritized different asset values, you also need to prioritize the severity of different threats. First, consider the severity of a threat and the likelihood of it occurring. If a threat were to occur unchecked, what would the consequences be to your company short term and long term?
A vulnerability is a weakness in your security measures or operating procedures that allows a threat to affect an asset. Inventory vulnerabilities next, and log which ones enable which threats.
Are evacuation plans in place? Are fire extinguishers and smoke alarms inspected regularly? Is high-value equipment use monitored?
At this point, you should be able to assemble your mapped network of assets, threats, and the vulnerabilities that connect them into threat profiles. In this framework, a “risk” is the likelihood that a threat will exploit a vulnerability resulting in a business impact. Risk profiling means assessing each risk you’ve identified and prioritizing them based on their impact, including the overall impact the threat would have on the business and the likelihood it could occur.
With risks assessed, determine how your organization wants to address each that you’ve profiled. For lower impact risks, you may decide the costs of prevention and management outweigh the threat cost—for example, vandalism to the exterior of a remote and secure facility, which results in zero structural or reputational damage. For higher impact risks, you’d likely want a comprehensive mitigation plan.
You need to document risk treatments, but don’t confuse risk treatments with a full-fledged plan. Your next step is to create an incident response plan that addresses all of your organization's threats. This plan should connect to your wider security program.
Your response plan should include all of the details you’ve documented so far, including assets, threats, vulnerabilities, and combined risk profiles. After that, you need to lay out the key roles and responsibilities different individuals have when a threat impacts your business. We recommend identifying incident managers who have ultimate authority during the response effort.
Once roles are defined, detail the procedures you want different individuals to follow. Set out communication guidelines so that your response team and business leadership understand how your risk mitigation efforts are progressing.
A response plan is useless if your personnel don’t know how to carry it out. Schedule training sessions for everyone in your organization once you’ve finished developing your plan. Also, include new safety and risk mitigation plans in new employee orientation. That will help you build a culture of safety within your organization.
In an emergency, people with roles in your plan obviously need to know what to do. But everyone else needs to know processes as well. For example, suppose your entire workforce needs to evacuate due to a major external risk, like a tornado. In that case, everyone will need to know shutdown procedures for their area and evacuation routes.
It is easier to mitigate risks when you can see them coming. Setup monitoring processes and systems that warn you when you’re running at elevated risk levels or when a vulnerability is exposed.
For example, smoke alarms are a very common and obvious example of a warning system. Or, if one of the internal risks you’re monitoring is the loss of essential equipment, you could consider a smart storage system that can monitor equipment transactions. For example, content surveillance tools in a smart locker system can verify that the corrected devices are taken or returned and even verify their status.
You can configure alerts if a return deadline is missed so a supervisor can look for the employee who signed a device out. That increases your chance of recovery and helps ensure that workflows on the next shift aren’t disrupted.
One layer of monitor or security often isn’t enough. You can mitigate the risk of any one vulnerability causing a problem by layering additional security, monitoring, and mitigation strategies to catch different issues. That is called defense in depth.
One of the best ways to mitigate internal risks is with deterrents. Prevent threats from ever exploiting vulnerabilities, so you don’t need to worry about managing them. For example, use surveillance cameras to deter vandalism. Or use access controls to prevent unauthorized access to stored vital equipment.