Risk mitigation strategies
Implement controls to reduce and manage identified risks.
Overview
Risk mitigation is about taking action to bring identified risks down to acceptable levels. Risk assessment tells you what's out there and how serious it is. Mitigation is where you decide what to do about it and track your progress.
Without mitigation planning, risks stay as theoretical concerns in a spreadsheet. With it, you've got a clear path from spotting a problem to actually solving it.
Mitigation approaches
When addressing a risk, you typically have four options:
- Avoid: Eliminate the risk entirely by not proceeding with the risky activity
- Reduce: Implement controls that lower the likelihood or impact of the risk
- Transfer: Shift the risk to another party through insurance, contracts or partnerships
- Accept: Acknowledge the risk and move forward without extra controls when the risk is low or mitigation isn't cost-effective
Most AI risks are handled through reduction, meaning you implement technical controls, process changes or monitoring that makes the risk less likely or less severe.
Mitigation status
Track the progress of your mitigation efforts using these status options:
Not started
Mitigation has been identified but work has not begun.
In progress
Mitigation activities are currently underway.
Completed
All mitigation activities have been implemented.
On hold
Mitigation work has been temporarily paused.
Deferred
Mitigation has been postponed to a later date.
Canceled
Mitigation has been cancelled and will not be pursued.
Requires review
Mitigation needs additional review or reassessment.
Creating a mitigation plan
For each risk requiring mitigation, document the following:
- Mitigation plan: Describe the specific actions to reduce the risk
- Implementation strategy: Outline how the mitigation will be executed
- Deadline: Set a target date for completing the mitigation
- Approver: Assign responsibility for approving the mitigation
Tracking risk levels
VerifyWise tracks multiple risk level measurements so you can see how well your mitigations are working:
- Current risk level: The present risk level captured on the mitigation form (manually selected from Low / Medium / High / Critical)
- Residual risk: Calculated automatically from residual likelihood × residual severity once mitigations are in place
Current risk levels range from:
- Very low risk
- Low risk
- Medium risk
- High risk
- Very high risk
Post-mitigation assessment
After implementing mitigation controls, reassess the risk using:
- Likelihood after mitigation: Re-evaluate probability with controls in place
- Risk severity: Assess the impact level after mitigation (Negligible, Minor, Moderate, Major, or Critical)
- Final risk level: Document the residual risk
Mitigation evidence
Document proof that mitigation controls have been implemented:
- Upload mitigation evidence documents directly to the risk record
- Link to related evidence in the Evidence Hub
- Reference implementation artifacts and test results
Risk approval workflow
For bigger risks, VerifyWise has an approval process:
- Action owner completes the mitigation plan
- Risk is assigned to an approver for review
- Approver reviews the mitigation approach and evidence
- Approval status is updated to reflect the decision
Review notes
Use the review notes field to capture ongoing observations about the risk and its mitigation:
- Changes in risk conditions
- Observations during implementation
- Stakeholder feedback
- Lessons learned
- Recommendations for future reviews
Mapping to controls
Link mitigation activities to governance controls in your compliance frameworks. This gives you traceability between:
- Risk records and the controls that address them
- Assessment requirements and mitigation evidence
- Compliance frameworks and risk management activities