Skip to content

Risk Mitigation Plan

Overview

A risk mitigation plan is a structured and strategic document developed to address identified risks following a formal risk assessment. Its purpose is to translate technical vulnerabilities and threat scenarios into business-relevant decisions, ensuring that risks are treated in line with organisational risk tolerance, regulatory obligations, and security objectives.

Rather than treating all risks equally, the plan prioritises mitigation activities based on likelihood, impact, and asset criticality, enabling informed decision-making by both technical teams and executive stakeholders.

1. Risk Treatment Strategies

Once risks have been identified and evaluated, the organisation must determine how each risk will be treated. The following risk treatment options are commonly used across enterprise risk management and security frameworks.

Risk Treatment Options

  • Risk Reduction (Mitigation)
    Implementing technical, administrative, or physical controls to reduce the likelihood or impact of a risk.

  • Risk Transfer
    Shifting risk to another party through mechanisms such as insurance policies or contractual agreements.

  • Risk Avoidance
    Discontinuing or avoiding activities where the risk exceeds the organisation’s risk tolerance.

  • Risk Acceptance
    Formally acknowledging the risk and accepting it without further treatment, typically with documented approval.

2. Tactical Mitigation and Containment

Effective mitigation focuses on protecting critical assets (“crown jewels”) and limiting the potential impact of security incidents through layered and proportional controls.

Key Mitigation Principles

  • Blast Radius Reduction
    Designing segmentation and containment controls so that compromise of one system does not propagate across the environment.

  • Vulnerability Management
    Identifying and remediating weaknesses through vulnerability scanning, penetration testing, configuration reviews, and secure development practices.

  • Partial / Compensating Controls
    Applying alternative safeguards when full remediation is not feasible, reducing overall risk exposure.

  • Residual Risk Management
    Assessing the remaining risk after controls are applied and determining whether it falls within acceptable business tolerance.

3. Governance, Ownership, and Accountability

A risk mitigation plan functions as both a technical control document and a governance artefact, ensuring accountability and oversight.

Governance Elements

  • Risk Ownership
    Each risk must have a clearly assigned owner, typically a senior manager or executive, accountable for risk treatment decisions.

  • Budget and Timeline
    Mitigation actions must be supported by defined funding and realistic implementation timelines.

  • Compliance and Assurance
    Documented mitigation actions provide evidence of due diligence and reasonable security practices for regulatory, contractual, and audit purposes.

4. Scoping and Environmental Context

Accurate scoping is essential to ensure mitigation efforts are targeted, effective, and proportionate.

Environmental Analysis Activities

  • Asset Inventory and Classification
    Identifying systems, data types, and sensitivity levels to determine appropriate protection requirements.

  • Third-Party and Supply Chain Risk
    Evaluating external dependencies and integration points that may introduce additional risk.

  • Likelihood and Impact Assessment
    Using qualitative or quantitative analysis to estimate risk frequency and business impact, including financial loss, operational downtime, and reputational harm.

Practical Analogy

Risk mitigation can be compared to preparing a home for flooding:

  • Installing a sump pump reduces risk (mitigation)
  • Purchasing flood insurance transfers risk
  • Avoiding construction in a flood zone avoids risk
  • Accepting minor water damage may be reasonable when mitigation costs exceed potential loss

The risk mitigation plan is the documented blueprint that determines which action is appropriate based on asset value, threat likelihood, and organisational risk tolerance.

Summary

A risk mitigation plan ensures that identified risks are: - Treated consistently - Aligned with business objectives - Governed through clear ownership - Defensible against regulatory and audit scrutiny

When properly implemented, it forms a critical component of an organisation’s information security and enterprise risk management practices.

Sources
  • ISO/IEC 27001 — Information Security Management Systems
  • NIST SP 800-30 — Guide for Conducting Risk Assessments
  • NIST SP 800-37 — Risk Management Framework
  • NIST Cybersecurity Framework (CSF)