We all want to reduce threats. This brief post talks about mitigation, which is any action taken to decrease the likelihood of a threat occurring, decrease the impact if it does occur, or decrease the suddenness of its onset in order to give the organization more time to respond. Mitigation is almost always specific to the particular threat identified. Nevertheless, four simple overarching principles are critical for proper mitigation.
First, assign specific mitigation efforts for each threat.
Second, assign an owner for each mitigation effort.
Third, review periodically to confirm whether the mitigation efforts have been implemented, whether the efforts were successful, and whether additional steps are required.
Fourth, learn something from each mitigation attempt. Learn what works, what doesn’t, and what’s ambiguous.
In other words, mitigation needs to be specific. Someone needs to own it. Someone needs to check up, so that there is accountability. And finally, the organization should continuously learn how to avoid threats more efficiently and effectively.
Please share this post if you found it useful.