Risk Mitigation (it used to be called Risk Handling) is the process that identifies, evaluates, selects, and implements options in order to set risk at acceptable levels given program constraints and objectives. This includes the specifics on what should be done, when it should be accomplished, who is responsible, and associated cost and schedule.
Definition: Risk mitigation is a strategy to prepare for and reduce the effects of risks or threats to a project, system, or business.
Understanding Risk Management
Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction.
Risk Mitigation Goal
The goal of risk mitigation is to lessen or eliminate the impact that risk has upon a program or business. Basically eliminate as much risk as possible.
Risk Mitigation Strategies
For each risk that is identified, the type of mitigation strategy must be determined and the details of the mitigation described in the Risk Mitigation Plan. The intent of the risk mitigation plan is to ensure successful risk mitigation occurs.
The most appropriate strategy is selected from these mitigation options: [1, 2]
- Risk Avoidance: This is when it’s decided to perform other activities that don’t carry the identified risk by eliminating the root cause and/or consequence. It seeks to reconfigure the project such that the risk in question disappears or is reduced to an acceptable value.
- Risk Controlling: This is when you control the risk by managing the cause and/or consequence. Risk control can take the form of installing data-gathering or early warning systems that provide information to assess more accurately the impact, likelihood, or timing of a risk. If a warning of risk can be obtained early enough to take action against it, then information gathering may be preferable to more tangible and possibly more expensive actions.
- Risk Transfer/Sharing: This is when you share the risk with a third party like an insurance company or subcontractor.
- Risk Assumption: Is accepting the loss, or benefit of gain, from a risk when it occurs. Risk assumption is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.
Risk Mitigation Planning
Risk mitigation planning is the activity that identifies, evaluates, and selects options to set risk at acceptable levels given program constraints and objectives. Risk mitigation planning is intended to enable program success. It includes the specifics of what should be done, when it should be accomplished, who is responsible, and the funding required to implement the risk mitigation plan. The most appropriate program approach is selected from the mitigation options listed above and documented in a Risk Mitigation Plan. 
The level of detail depends on the program life-cycle phase and the nature of the need to be addressed. However, there must be enough detail to allow a general estimate of the effort required and technological capabilities needed based on system complexity. 
Risk Management Plan
A Risk Management Plan (RMP) is prepared by a Project Manager (PM) to address risks, their potential impact on a program and consists of ways to reduce these risks. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.
Risk Mitigation Best Practices
Understanding risk best practices will help ensure that an organization is optimal in its approach to eliminating risk and hazards from its environment. The Program Manager and stakeholders should understand the best practices below:
- Everyone in the organization should be involved in risk management. Make sure internal and external stakeholders are involved.
- Create a risk management culture.
- Communicate risks as they arise.
- Communicate the organization’s risk policy to everyone and make sure it’s understood.
- Never stop monitoring possible risks and evaluating areas to improve.
- For a more detailed explanation on risk, visit the DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015.
AcqLinks and References:
- DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
-  DoD Risk Management Guidebook – Section 5.0 – Aug 06 (Outdated)
- Defense Acquisition Guidebook (DAG) – Chapter 2 & 4
- Risk Assessment Checklist
- Risk Assessment Worksheet and Management Plan
- Continuous Risk Management Guidebook by Carnegie Melon
- Template: Risk Management Plan
- Template: Project Rick Management Template