This post originally appeared on Quora in response to the question ‘What is a risk mitigation plan?’ Link
What is a risk mitigation plan
The risk mitigation plan is a series of specific actions or steps you will take in response to a risk once you have completed your risk assessment. However, before you start to develop the mitigation plan in detail, you need to determine a general course of action based on one of five main options: avoid, tolerate, treat, transfer and terminate (A4T). Which of these is most applicable will depend on your risk tolerance (short term), risk appetite (longer term) and what you can reasonably achieve with the resources available (ALARP).
Once you have this general sense of the strategy, you can start planning the detailed approach and develop the risk mitigation plan.
When you are designing a set of measures to address the risk, you should try to mirror the methodology you used in the assessment. So if you used a risk = threat * impact * vulnerability calculation, you should clearly link each element of the mitigation plan to an element of the risk itself. This helps you evaluate if the mitigation will actually reduce the risk, and by how much. This also helps allocate responsibility for the various elements of the mitigation plan.
Summarizing the plan
As an example, this is a simple table of potential options XYZ Company might consider to address the threat of protests and unrest in the fictional country of Janwick.
One you have settled on a set of potential mitigation measures, peer review these to ensure that the steps are credible and to avoid unintentional consequences from the mitigation itself. Also ensure that there are clear, measurable steps in the mitigation plan to ensure that you can track progress and measure the effectiveness of the mitigation plan to check that it is achieving the outcome you want.
Learn more about addressing and mitigating your risks