We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Best Practices for Developing Mitigation Plans

Vote 0 Votes

ERM Mitigation EffectivenessA common challenge for early-stage ERM programs is making the step from risk identification and prioritization to the formalization of a control (or mitigation) environment. Keep in mind, it is only possible to know if a Mitigation Activity is effective and efficient if the objective of this activity is known. The objective o f the activity must also be risk and performance focused. Organizations often lose track of why a particular mitigation activity was implemented to begin with, and fail to recognize whether the mitigation activity is a) still relevant to mitigating the risk and b) maintains the appropriate balance of risk exposure to mitigation cost.

The best way to ensure that your migration activities remain focused is to link the mitigation activity directly to the risks, readiness standards and performance objectives that the mitigation activity addresses.

Every organization has some documented controls. Starting here and then entering existing tests and monitoring for these controls may help existing employees not familiar with risk management to recognize their existing work to help quickly orient colleagues and accelerate participation. The process of linking risk to mitigation, and mitigation to testing will also reveal gaps in your ERM process where risks aren't being addressed or where controls and test are existing in isolation.

This will also help identify redundant controls as well and clarify the purpose of existing controls. An assessment can then be conducted to identify new and emerging risks, goals and compliance initiatives that may not be covered by existing controls.

When documenting a Mitigation Activity, identify the main subject of the activity. The purpose is to help consolidate disparate controls to strengthen the overall program. A simple, concise purpose reduces cost and time in managing and providing oversight of mitigation activity. The goal is to have a library of activities that you can pull from as related risks emerge down the road.

Mitigation Plans

Mitigation activities should meet the following planning scenarios:

Change Management: How do you manage change to the activity over time?

Compatibility: Is the activity aligned with other activities?

Corporate Objectives: Are performance goals advanced by this activity?

Cost: Does the cost exceed the benefit derived from it?

Dependencies: Are the relevant resource elements linked to the activity?

Effectiveness: Does it address specific risks?

Efficiency: Is it easy to implement and monitor?

Leverage: Can it be provide benefit in other areas?

Ownership: Who is responsible for maintaining this activity?

Regulatory: Does it address compliance readiness standards?

LogicManager Mitigation activities have templates with placeholder fields to address each of these questions. For a walkthrough on improving the entirety of your ERM process, watch our webinar on the 5 Key Principles of an Actionable ERM Framework.

Enhanced by Zemanta

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives