While risks describe what could go wrong in your organization, mitigation are the actions you can take to reduce or eliminate that risk.
In Risk Management, mitigation is the goal because it is what allows you to keep risks controlled. Mitigation lets you sleep at night!
A single risk can have one or more mitigations added. Typically, these are determined during the risk analysis stage. So you start out adding all the risks without mitigation, then you discuss with your colleagues what mitigation you can add for each risk, at a later stage.
There are many ways to mitigate risks, and it's beyond the scope of this user guide to go into depth about how you should go about mitigating all risks.
However, we will describe the types of risk mitigation that you can store in Staff.Wiki.
To add a mitigation to a risk, first bring up the risk by clicking it in the list.
Then you the "Add Mitigation" button, which will bring up the mitigation form:
Let's run through the fields you can enter, which will help you understand how risk mitigations are defined in Staff.Wiki:
Status: This is the current status of the risk mitigation. If it is already in place, then you will set this to Complete. But it can also be in many other stages:
- Complete: The mitigation is active.
- In Progress: The mitigation is currently being developed but is not yet actively in place.
- Checking: The mitigation is complete, but it is being verified.
- Planned: It is designed and planned, but work has not yet started on the mitigation.
- Investigating: The mitigation is being investigated, but has not yet been fully planned.
- Not Planned: This is a mitigation idea, there are currently no plans to implement it.
- On Hold: The mitigation was previously being worked on, but has been put on hold.
- Won't Do: This is a mitigation idea, but it will never be implemented.
- Archived: The mitigation is no longer relevant or applicable and has been archived.
- Canceled: Similar to "Won't Do", but work had previously gone into the mitigation but was later canceled and will likely not ever be fully implemented.
Type: This is the type of mitigation. There are several options:
- Policy/Procedure: Most often, risks are mitigated by instituting policies or procedures. For example, to reduce the risk of an accident, specific procedures can be instituted in order to ensure people are acting safely and proper precautions are taken. This lets you select a policy or procedure that is mitigating this risk.
An important feature is that the mitigation will only be enabled if the policy/procedure it links to is performing, based on performance thresholds that you specify.
- Insurance: Quite often risks are mitigated through insurance policies. For example, the risk of being sued can be mitigated by acquiring liability insurance. The risk of employees being away from work for a long time after getting seriously sick can be mitigated through health insurance. There are many different forms of insurance out there.
- Remediation Actions: Selecting this option will show a "Tasks" link at the bottom of the form. This lets you specify one or more tasks, assigned to staff members, that relate to work that can be done to mitigate the risk. For example, if you had the risk of an intruder breaking in and nobody noticing, the remediation task may be to install an alarm system.
- Liability Protection: Other than insurance, there are other ways to get liability protection. For example you can limit liability through corporate structure, moving the risk taking activity into an LLC (Limited Liability Company). That way, if you are sued, the financial and asset exposure will be limited to the assets belonging to that specific LLC company. Another way to limit liability is through contracts with third parties, where they agree to take on liability.
- Collateral: One such contract is to take on collateral. When a bank lends money, they often ask for collateral - which is an existing asset owned by the borrower - which is kept aside to back up the money lent. If the borrower is unable to repay the money, then the bank will be able to sell the collateral in order to cover what could not be repaid. This is another way of reducing financial risk.
- Guarantee: Similarly to collateral and insurance, a guarantee is a third party who is contractually obligated to cover any financial risk associated with an activity.
- Accept: You would choose "Accept" if you believe the risk is worth taking without any (or certain) mitigation in place. Perhaps the opportunity is significant and rewards outweigh the risks involved. This allows you to reduce the visibility of the risk, while still acknowledging it, so you can focus on other risks you are more concerned with mitigating.
- Transfer / Share: This is also usually a contractual mitigation. You can decide to share a risk with a partner or other organization, who is perhaps also going to benefit from the opportunity or reward the risk stems from.
- Avoid: If the mitigation involves avoiding a certain activity involved in the risk, then this can be entered here. Usually this avoidance will involve a policy or procedure being instituted, but not necessarily.
- Other: For any other form of mitigation, select "Other" and put the details into the Details field.
Policy Tab, Policy/Procedure: If you selected "Policy" in the Type, then these fields be enabled allowing you to select the associated tab and specific policy or procedure that will mitigate this risk.
Must Approve Changes?: If this is set, then the approver set on the Risk Register will be asked to review and approve any changes made to the specified policy. This is to ensure that changes to the policies are not compromising the mitigation, thus perhaps unintentionally increasing risks.
Probability Reduction: If the mitigation is successful, here you will indicate how approximately the mitigation will change the overall impact of the risk. Here you specify how it should reduce the probability of the risk occurring.
Impact Reduction: Here you specify the approximate reduction in overall impact, whether it occurs or not. Some mitigations will affect the probability, others will affect the impact, and some will affect both the probability of it happening, and the overall impact.
Probability of Success: Just because you enact a mitigation, it doesn't mean it will necessarily work. Here you can specify the probability that the mitigation will be successful. If you do not know, you can leave it as "Certain".
Approximate Cost: Mitigation involves work and often other investment. Here you can enter in the approximate cost (per annum) of the mitigation to be implemented. This can be useful in weighing whether the mitigation is worth it, compared to the cost of the risk itself. This is optional, if you do not know the cost then you can leave it blank.
Expiry: If the mitigation is only active for a certain period, put the expiration date here. For example, an insurance policy that expires on a certain date. After this date, the mitigation will no longer be applied and any reduction in probability or impact will be removed, re-instating the original values.
Notice (Days): If you entered an expiration date above, you can specify how many days prior to expiration you want to be notified. This will update the status of the mitigation to "Expiring", and will unapply any reduction in probability or impact, making the full risk visible in the matrix.
Details: Here you can specify more details about the mitigation.
Tasks: If you specify Remediation Actions then the "Tasks" link will appear, which will let you add one or more tasks to the mitigation, each of which you can track independently and assign to different staff members.
Once you have entered the mitigation, click OK to record it against the risk. So long as the Status is set to Complete, the probability and impact will be modified accordingly, and the Risk Matrix will be updated.