that are not subject to effective mitigation activity may cause
For each risk, you should first document the applicable list of
mitigation activities. When thinking about what risk mitigation
activity is in place (or should be in place) it is useful to think
of the following three things:
- Prevention - What is in place that will attempt
to stop the risk happening in the first place? (eg: security, awareness
& training programs, qualified staff, planning, and/or procedures);
- Detection - What is in place that will let
me know if and when the risk does happen? (staff / customer reporting
mechanisms, financial reconciliation, fire alarms, audits);
- Response - If the risk happens anyway, what
measures do we have in place to lessen the impact? (eg: contingency
back ups, insurance, resolution processes).
Once documented, the list of mitigation activity should be assessed
as to how well the group of mitigation activity address the risk.
To assess mitigation strategy effectiveness consideration should
be given to the following questions:
- Do the group of mitigation activity address the risk effectively?
- Are the mitigation activity officially documented and communicated?
- Are the mitigation activity in operation and applied consistently?
Answers to these questions are scored and the results tallied
as per the Table below.
Thought processes underpinning this decision are also summarized
Development / Implementation
To ensure that mitigation plans are actioned requires management of the
process by relevant senior staff. This management planning process should
- Allocation of risk mitigation responsibilities;
- Approval or allocation of resources required;
- Establishment of deadlines;
- Report back agreed actions and dates to the Risk Coordinators and Manager-Risk
- An Escalation process;
All risks identified as requiring further mitigation should be
considered in the context of the options available. These options
should be considered weighing the cost of implementing each option
against the potential benefits. In some cases a cost-benefit analysis
may be required to assist in the selection process.
When assessing risk mitigation options, it is important to understand
that it will often be most appropriate to combine several mitigation
options. Risk responses may be specific to one risk or they might
address a range of risks.
By completing a risk mitigation plan, relevant University staff
can establish accountability, and ensure that risk management is
seen as part of each staff member's responsibility.
Risk mitigation plans act as a reporting mechanism to the relevant
user groups. These plans are flexible, allowing for continual updating
and reassessment as risks confronting the University change or
the likelihood and consequences change.