Thursday Thoughts...

Some Thursday Thoughts… Risk Management vs Risk Mitigation (or Why I Almost Never Say Risk Mitigation)

Let’s start with a couple of definitions:

Risk Management: Risk management is the identification, evaluation, and prioritization of risks, followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Risk Treatment: Actions taken to manage identified risk.

Risk Mitigation: The process of reducing risk exposure and minimizing the likelihood of an incident. It involves identifying potential business threats and taking steps to lessen their effects.

Risk management and risk mitigation are both important processes in how your organization deals with risk. As you can see in the definitions, they are not the same, and shouldn’t be used interchangeably.

As a TPRM and GRC practitioner, I see my role primarily as risk management. Our process is built around the core concepts of risk management: identify, evaluate (assess), and prioritize risks. Then get the right people involved to understand how we are going to treat that risk – answering the question “What are we going to do about this?” That’s the heart of risk management: Understanding what can happen and developing strategies to address those eventualities.

In day-to-day risk conversations, I tend to bias toward using risk management vice risk mitigation. While both need to be discussed, my intended message is that as the GRC and TPRM apparatus, my goal is to inform the organization what risks have been identified and present the analysis and prioritization. In most cases, the organization needs to determine the risk treatment strategy – avoid, reduce, share, etc.

By definition, risk mitigation is part of the risk treatment strategy. Going back to Risk Management 101, the risk treatment options are: avoid, reduce, transfer, accept, and share. Some of us may have other terms, but those are the basics. Risk mitigation means that you take steps to reduce the impact and likelihood of that risk by developing and implementing controls, processes, and other protections. Mitigation does not include identification, analysis, prioritization and communication of risk. In this regard, I’d say that “risk treatment” and “risk mitigation” are similar and somewhat interchangeable.

The bottom line here is that risk mitigation is a part of risk management – the “What are we going to do about this?” Remember, words have meaning. Risk management is the entire process, including treatment or mitigation. Treatment and mitigation are the actions you take to address the risk.