Risk mitigation strategies must be developed based on the risk assessment and quantification process. This component is shown in the COSO model as risk response. Leaders identify and evaluate possible responses to the risks and develop actions that align risks with the institutions’ or departments’ ability to meet its objectives. This allows for a systematic reduction in risk exposure and/or the likelihood of its occurrence.
A risk mitigation plan or risk response plan shows how specific risks will be dealt with and required action steps. There are basically four approaches:
- avoidance [eliminate the conditions that allow the risk to exist]
- reduction [minimize the probability of the risk occurrence and/or the likelihood that it will occur]
- sharing [transfer the risk]
- acceptance [acknowledge the existence of the risk but take no action]
Inherent risk is the risk in the absence of any actions taken to alter the risk’s likelihood and impact. Residual risk is the remaining risk after actions have been taken per the risk mitigation plan. Management recognizes that some level of residual risk will always exist due to limited resources and future uncertainty.
A critical part of a risk mitigation plan is establishing control activities. Types or general categories of controls include:
- Performance indicators
- Separation of duties
- Physical controls
- Information processing - accuracy, completeness, and authorization
- Policies and procedures