Treatment / Mitigation of Critical Risks

This is the stage at which the risk-management process is carried out. This is where the actions and resources needed to mitigate critical risks are defined through specific action plans or projects aimed at reducing the levels of vulnerability in protection systems that avoid or reduce the probability or consequences of the attainment of a given risk. At this stage, the risks to be addressed are prioritized.

Mitigation Plan

The risk treatment / mitigation phase consists basically in the definition and implementation of Action Plans / Mitigation or specific projects aimed at reducing the levels of vulnerability in the protection systems that avoid or reduce the consequences of the realization of a certain risk.

They are nothing more than action plans geared toward risk mitigation with some modifications in their structures, such as Accountable and Responsible definition for each action. Its main purpose is to ensure that mitigation actions for critical risks will be put into practice and its implementation process will be monitored in some way.

One of the most critical phases is the definition of “Responsibility” of each risk (who will be responsible for performing the actions to mitigate a certain risk) and “Accountabiliy” (who will be responsible for responding if the actions for the mitigation of certain risk, if not implemented). The basic difference lies in the accountability of the consequences of the risk (usually level management or direction) and who actually drives the action plans and controls.

It is desirable that any action plan developed to mitigate critical risks has the definition of who is “Accountable” and who is “Responsibile” for each risk.

The lack of definition of these roles entails the lack of implementation of effective actions to mitigate risks. Often we identify risks that are known to every management, but there is no one responsible for monitoring or treating them. On the other hand, we come across cases where there are several Accountables, but no one Responsible for risk, ie several monitoring and controlling risk, but no one performing any effective action to mitigate the risk.

Care must be taken that the English word “Accountable” has a similarity of meaning with the word Responsible in Portuguese with respect to a responsibility in the broadest sense. While the word “Responsible” in English refers to who performs the action to mitigate the risk, ie the “Doer” of the mitigation action.

To facilitate understanding, the following is an example of a Risk Mitigation Plan :

risk mitigation 1

Risk Sheet

Sometimes, instead of the Mitigation Plan or to complement it, the Risk Sheet is used to carry out the role of risk monitoring, control and mitigation. The Risk Sheethas more complete information about the risk that allows a better follow-up of the same. Basically, the Risk Sheets have information grouped into 8 main topics: Risk Descriptive, Scenarios & Effects, Strategic Impacts, Risk Measurement, Losses, Understanding Risk, Mitigation Measures and Governance (Monitoring, Control and Indicators). Below is a template with the comments below:

Business Awareness 1

Descriptive – Describes the scenario of risk materialization, ie the worst case scenario if the risk materializes.

Business: Describes the impact of the realization of the risk on the business

Staff (internal public): Describes the impact of the achievement of risk on employees

Clients: Describes the impact of the realization of risk on clients

Assets (equity): Describes the impact of the realization of risk on equity

Community: Describes the impact of the achievement of risk on the community

Media: Describes the impact of risk materialization on the media

Financial: Describes the impact of the realization of risk in terms of financial loss

Legal: Describes the impact of the risk materialization on the legal aspects

Other: Describes the impact of the realization of risk on any other variable that has not been previously considered but which is considered relevant

Critical Success Factors: Define Critical Success Factors Impacted by Risk

Strategic Objectives: Define Strategic Objectives impacted by risk

Impact: Defines Risk Impact Quantification

Probability: Defines the probability estimation of the risk

Vulnerability: Defines the Vulnerability Index

Risk Index: Defines the Risk Index that is composed of the product of the IQ x EP

Effectiveness Indicator: Defines the Effectiveness Index (Risk Index X Vulnerability Index)

Classification: Classifies the risk with a color code of 5 levels defining the level of attention and control to be dispensed by the risk management team

Direct Losses: Defines the direct losses of the realization of a certain risk

Indirect Losses: Defines the indirect losses of the realization of a certain risk

Maximum Damage: Defines the Possible Maximum Damage to the realization of a certain risk

Possible Loss: Defines the Probable Maximum Loss of the realization of a certain risk

Expected Loss: Defines the Estimated Expected Loss (Impact X Probability) of the achievement of a given risk, quantitatively defined

Coverage: Defines the insurance coverage currently contracted for a certain risk

Source: Defines the source (causative agent / ignitor fact) for a certain risk

Risk Factor: Defines the Risk Factor (vulnerabilities) in the protection systems for a certain risk

Critical Process: Defines the Critical Process where the risk occurs

Ownership: Defines the person responsible for the Critical Process impacted by the risk

Maturity level: Define the level of maturity that the critical process has in terms of standards and procedures, such as: flowcharts, POPs, work instructions, etc.

Family: Defined the family to which certain risk belongs, such as: operational, strategic, financial, etc.

Sub-Process: Define the subprocesses of the Critical Process where the risk occurs

Ownership: Defines the person responsible for the critical sub-process impacted by the risk

Maturity level: Define the level of maturity that the critical sub-process has in terms of norms and procedures, such as: flowcharts, POPs, work instructions, etc.

GR Process: Define the risk management processes to assist in the control of the Critical Process where the risk occurs

Ownership: Defines the person in charge of the Risk Management Process developed for the mitigation of risk in a certain process or critical sub-process.

Family: Define the level of maturity that the risk management process has in terms of standards and procedures, such as: flowcharts, POPs, work instructions, etc.

Action: Defines the actions of mitigation for the reduction of certain risk

Responsible: Defines the person responsible for the implementation of mitigation actions to reduce a certain risk, effectively by those who implement and / or conduct a given mitigation activity (executor)

Accountable: Defines the person responsible for coordinating and / or supervising mitigation actions to reduce a given risk, who manages and will respond if his executor does not implement the mitigation action

Start: Defines the date to be initiated by determining a mitigation project or action. Sometimes it is necessary to set checkdates during the process of implementing the solution in view of its degree of complexity.

Deadline: Defines the deadline for the implementation of mitigation actions to reduce certain risks

Internal Control: Defines internal control to assist in mitigation actions to reduce certain risks

Control Number: Defines the internal control number to assist mitigation actions to reduce certain risk

KPI: Sets the KPI (indicator) of a certain critical process

KRI: Defines the KRI (indicator) of certain critical process risk. It is a trend indicator that avoids providing timely warning to the manager by anticipating that a particular KPI may not be reached if no corrective action is defined

Cycle: Defines the cycle of measurement of the KPI and KRI (indicator) of risk for a certain critical process

Audit: Defines the type and frequency of risk auditing for a given critical process

Status: Defines risk governance status if KRIs and audit cycles are in compliance