Risk Mitigation (it used to be called Risk Handling) is the process that identifies, evaluates, selects, and implements options in order to set risk at acceptable levels given program constraints and objectives. This includes the specifics on what should be done, when it should be accomplished, who is responsible, and associated cost and schedule.
Definition: Risk mitigation is a plan to prepare for and lessen the effects of risks or threats to a project, system, or business. This is done by prioritizing, evaluating, and putting in place the right risk-reducing controls/countermeasures recommended by the risk management process.
Understanding Risk Management
Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.
Risk Management Process
The risk management process includes the following continuous key activities Risk Mitigation is one of those activities. Below are the steps to the risk management process.
Why is Understanding Risk Mitigation Important
Understanding risk is important because it lets you reduce problems that could hurt your project or get ready to deal with them. Risks won’t go away if you ignore risk factors, and going forward without a mitigation plan could hurt your bottom line. This is why it’s important to reduce risks. With a clear plan with clear mitigation steps, you can stop risks from turning into problems that get out of hand or even stop risks from happening in the first place.
Risk Mitigation Goal
The goal of Risk Mitigation is to lessen or eliminate risk’s impact on a program or business. Eliminate as much risk as possible.
Risk Mitigation Strategies
For each risk identified, the mitigation strategy type must be determined, and the details of the mitigation must be described in the Risk Mitigation Plan. The risk mitigation plan intends to ensure successful risk mitigation occurs.
The most appropriate strategy is selected from these mitigation options: [1, 2]
- Avoidance: This is when it’s decided to perform other activities that don’t carry the identified risk by eliminating the root cause and/or consequence. It seeks to reconfigure the project so that the risk disappears or is reduced to an acceptable value.
- Controlling: This is when you control the risk by managing the cause and/or consequence. Risk control can take the form of installing data-gathering or early warning systems that provide information to assess more accurately the impact, likelihood, or timing of a risk. If a warning of risk can be obtained early enough to take action against it, then information gathering may be preferable to more tangible and possibly more expensive actions.
- Transfer/Sharing: This is when you share the risk with a third party like an insurance company or subcontractor.
- Assumption: Is accepting the loss, or benefit of gain, from a risk when it occurs. Risk assumption is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.
Risk Mitigation Planning
Risk mitigation planning is the activity that identifies, evaluates, and selects options to set risk at acceptable levels given program constraints and objectives. Risk mitigation planning is intended to enable program success. It includes the specifics of what should be done, when it should be accomplished, who is responsible, and the funding required to implement the risk mitigation plan. The most appropriate program approach is selected from the mitigation options listed above and documented in a Risk Mitigation Plan. 
The level of detail depends on the program life-cycle phase and the nature of the need to be addressed. However, there must be enough detail to allow a general estimate of the effort and technological capabilities needed based on system complexity. 
Risk Management Plan
A Risk Management Plan (RMP) is prepared by a Project Manager (PM) to address risks and their potential impact on a program and consists of ways to mitigate these risks. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.
Utilize the Risk Reporting Matrix
The risk management plan should detail how to use the Risk Reporting Matrix to determine the level of risks identified within a program. This is a great tool for understanding the importance of which risks you should focus on to mitigate. The level of risk for each root cause is reported as low (green), moderate (yellow), or high (red).
Risks Management Components
- A future root cause (yet to happen), which, if eliminated or corrected, would prevent a potential consequence from occurring,
- A probability (or likelihood) assessed at the present time of that future root cause occurring, and
- The consequence (or effect) of that future occurrence.
Risk Mitigation Best Practices
Understanding risk best practices will help ensure that an organization optimizes its approach to eliminating risk and hazards from its environment. The Program Manager and stakeholders should understand the best practices below:
- Everyone in the organization should be involved in risk management. Make sure internal and external stakeholders are involved.
- Create a risk management culture.
- Communicate risks as they arise.
- Communicate the organization’s risk policy to everyone and ensure it’s understood.
- Never stop monitoring possible risks and evaluating areas to improve.
Risk Management Objectives
The Risk Management Objectives of a well-managed risk management program is to provide a repeatable process for balancing cost, schedule, and performance goals within program funding. This is especially true on programs with designs that approach or exceed the state-of-the-art or have tightly constrained or optimistic cost, schedule, and performance goals. Without effective risk management, the Program Management Office (PMO) may find itself doing crisis management, a resource-intensive process that is typically constrained by a restricted set of available options. Successful risk management depends on the knowledge gleaned from assessments of all aspects of the program coupled with appropriate mitigations applied to the specific root causes and consequences.
- For a more detailed explanation on risk, visit the DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015.
AcqLinks and References:
- DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
-  DoD Risk Management Guidebook – Section 5.0 – Aug 06 (Outdated)
- Defense Acquisition Guidebook (DAG) – Chapter 2 & 4
- Risk Assessment Checklist
- Risk Assessment Worksheet and Management Plan
- Continuous Risk Management Guidebook by Carnegie Melon
- Template: Risk Management Plan
- Template: Project Rick Management Template