Risk mitigation strategies
Implement controls to reduce and manage identified risks.
Overview
Risk mitigation is the process of taking action to reduce identified risks to acceptable levels. While risk assessment tells you what risks exist and how serious they are, risk mitigation is about deciding what to do about them and tracking your progress toward reducing exposure.
Effective mitigation transforms risk management from a documentation exercise into active risk reduction. Without mitigation planning, risks remain theoretical concerns. With it, you have a clear path from identifying a problem to solving it.
Mitigation approaches
When addressing a risk, you typically have four options:
- Avoid: Eliminate the risk entirely by not proceeding with the risky activity
- Reduce: Implement controls that lower the likelihood or impact of the risk
- Transfer: Shift the risk to another party through insurance, contracts, or partnerships
- Accept: Acknowledge the risk and proceed without additional controls when the risk is low or mitigation is not cost-effective
Most AI risks are addressed through reduction — implementing technical controls, process changes, or monitoring that makes the risk less likely or less severe.
Mitigation status
Track the progress of your mitigation efforts using these status options:
Not started
Mitigation has been identified but work has not begun.
In progress
Mitigation activities are currently underway.
Completed
All mitigation activities have been implemented.
On hold
Mitigation work has been temporarily paused.
Deferred
Mitigation has been postponed to a later date.
Requires review
Mitigation needs additional review or reassessment.
Creating a mitigation plan
For each risk requiring mitigation, document the following:
- Mitigation plan: Describe the specific actions to reduce the risk
- Implementation strategy: Outline how the mitigation will be executed
- Deadline: Set a target date for completing the mitigation
- Risk owner: Assign responsibility for implementing the mitigation
Tracking risk levels
VerifyWise tracks multiple risk level measurements to show mitigation effectiveness:
- Auto-calculated risk level: The initial risk level based on likelihood and severity
- Current risk level: The present risk level after any controls are in place
- Final risk level: The expected residual risk after all mitigations are complete
Current risk levels range from:
- Very low risk
- Low risk
- Medium risk
- High risk
- Very high risk
Post-mitigation assessment
After implementing mitigation controls, reassess the risk using:
- Likelihood after mitigation: Re-evaluate probability with controls in place
- Risk severity: Assess the impact level after mitigation (Negligible, Minor, Moderate, Major, or Critical)
- Final risk level: Document the residual risk
Mitigation evidence
Document proof that mitigation controls have been implemented:
- Upload mitigation evidence documents directly to the risk record
- Link to related evidence in the Evidence Hub
- Reference implementation artifacts and test results
Risk approval workflow
For significant risks, VerifyWise supports an approval process:
- Risk owner completes the mitigation plan
- Risk is assigned to an approver for review
- Approver reviews the mitigation approach and evidence
- Approval status is updated to reflect the decision
Review notes
Use the review notes field to capture ongoing observations about the risk and its mitigation:
- Changes in risk conditions
- Observations during implementation
- Stakeholder feedback
- Lessons learned
- Recommendations for future reviews
Mapping to controls
Link mitigation activities to governance controls in your compliance frameworks. This creates traceability between:
- Risk records and the controls that address them
- Assessment requirements and mitigation evidence
- Compliance frameworks and risk management activities