How to Guard Against a Risk (Mitigation)

Risks are tricky and we can't always avoid them. Sometimes, though, we can make them less likely to happen and/or less damaging if they do. This evasive action is called risk mitigation.

 Before you can do any risk mitigation, you will  have to identify what (known) risks you're facing.  Not all risks will be worth addressing with a mitigation plan, so having an estimated of probability and impact for each will help decide where it makes sense to spend resources.

 Look at several factors as you decide whether to create a mitigation plan for a risk:

  • Is the risk probability high enough that it's worth trying to lower the likelihood? 
  • Is the potential impact great enough that it's worth working to reduce it?
  • Is the cost of mitigation worth the change in probability and/or impact?
  • Will the mitigation lower the probability and/or impact enough to justify the cost of the action(s)?

 

If the decision is that a mitigation plan (and of course execution of the plan) makes sense for the individual risk, the next step is to balance that plan against mitigation actions for other risks on your list.  Depending on resourcing, you might need to choose which risks to actively mitigate.  This isn't as simple as picking the risks with the highest probability/impact combinations; factoring into the equation is how *much* you can actually mitigate a risk compared to how much you can mitigate other risks.

 If you don’t have a good idea of what a specific mitigation plan will involve it will be worth the effort to have at least the outline of a plan for comparison purposes.  One mitigation plan might contain several mitigation actions.  At a minimum, your plan should include:

 

  • An overview of the mitigation plan
  • Specific steps to be taken including:
    • Who will perform the steps
    • Whether the steps will be repeated
  • Reporting and monitoring

When you have a plan, you will want to double check the costs associated with the plan to ensure that the trade-off between those costs and the actual risk mitigation is worth executing the plan.  To do a thorough analysis, you will probably need to add information to your plan.   This information might include resources required and the cost of the resources, level of effort needed, and opportunity costs.

 When you've decided to go with a plan you should put it into action as soon as possible.  Timing information might also be included in the plan, especially if an action can't be taken until a certain point in a project.

 Now you have a mitigation plan to make the risk less likely (or less damaging) and you're executing to the plan. But how do you know it's working? If the mitigation actions aren't lowering or eliminating the risk it doesn't make sense to continue them.

For each action taken, you need to understand what indicators will change.  For example, suppose you are having issues with hiring - you aren't getting enough responses to your open requisitions and this issue raises the risk that you will not be able to staff for a big project in time.  In this case you need to track the number of responses per time period (and possibly the quality of applicants) - the risk is mitigated if you get a sufficient number of responses to be able to hire for the project in the timeframe needed.  The first task is to get a baseline - how many responses per week per position are you getting now?  And if you can dig into the past a bit you can see trends that will help you evaluate your mitigation actions.

 Here's where the reporting and monitoring part of the mitigation plan comes in.  As soon as you start executing the plan, start measuring the responses.  For example, you've only been posting on your company website and you're getting very few applicants.  Your mitigation plan might be to post on LinkedIn or another service.  There's a cost with using a recruiting site, so your plan only includes one site at a time.  Once you start posting on LinkedIn, track the number of applicants per position.  If the number increases enough to get hiring back on track you're doing well.  If the number of applicants doesn't increase, you'll probably stop posting on LinkedIn and look at backup plans - posting on another site, for example.  Both the baseline and the continuing measurements are critical to ensure that your plan is actually addressing the risk.

There may come a time when the risk has been resolved enough to stop the mitigation action - for example, hiring for the project is complete and you have no further large hiring efforts in the near future.  Some mitigation actions will continue until the project is complete.  Knowing that threshold in advance will make your mitigation plan even more effective - and cost-effective.