Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Comparable to risk reduction, risk mitigation takes steps to reduce the negative effects of threats and disasters on business continuity (BC). Threats that might put a business at risk include cyberattacks, weather events and other causes of physical or virtual damage to a data center.
Risk mitigation is one element of risk management, and its implementation will differ by organization. Although the principle of risk mitigation is to prepare a business for all potential risks, a proper risk mitigation plan will weigh the impact of each risk and prioritize planning around that impact. Risk mitigation focuses on the inevitability of some disasters and is used for those situations where a threat cannot be avoided entirely. Rather than planning to avoid a risk, mitigation deals with the aftermath of a disaster and the steps that can be taken prior to the event occurring to reduce adverse, and potentially long-term, effects.
One aspect of risk mitigation is prioritization -- accepting an amount of risk in one part of the organization to better protect another. By establishing an acceptable level of risk for different areas, an organization can better prepare the resources needed for business continuity while putting less mission-critical business functions on the back burner.
Ideally, an organization would be prepared for all risks and threats and avoid them entirely. However, having a risk mitigation plan can help an organization prepare for the worst, acknowledging that some degree of damage will occur and having systems in place to confront that.
What's in a risk mitigation plan
A risk mitigation strategy takes into account not only the priorities and mission-critical data of each organization, but any risks that might arise due to the nature of the field or geographic location. A risk mitigation strategy must also factor in an organization's employees and their needs.
When creating a risk mitigation plan, there are a few steps that are fairly standard for most organizations. Recognizing recurring risks, prioritizing risk mitigation and monitoring the established plan are vital aspects to maintaining a thorough risk mitigation strategy.
In business continuity planning, testing a plan is vital. Risk mitigation is no different. Once a plan is in place, regular testing should occur to make sure the plan is up to date. Risks facing data centers are constantly evolving, so risk mitigation plans should reflect any changes in risk or shifting priorities.
Risk mitigation vs. risk avoidance/reduction
Risk mitigation and risk avoidance are both elements of risk management, which is the overarching process of planning for and recovering from disasters. While they have similar processes and goals, there are key differences.
Risk mitigation is the process of planning for disasters and having a way to lessen the negative impact. Other elements of risk management include risk acceptance and risk transfer. Risk acceptance is accepting a risk for a given period of time to prioritize other risks. Risk transfer allocates risks between different parties, consistent with their capacity to protect against or mitigate the risk.
Risk avoidance is used when the consequences are deemed too high to justify the cost of mitigating the problem. For example, an organization can choose not to undertake certain business activities or practices to avoid any threat they might pose. Risk avoidance is a common business strategy and can range from something as simple as limiting investments to something as severe as not building offices in potential war zones.
Tools that can help
A risk assessment is vital to organize and prioritize risks, and can aid in forming a risk mitigation plan. By performing a risk assessment, all potential risks are listed and ranked in a way that gives an organization a more concrete plan for recovery.
A risk assessment framework (RAF) provides an organization with an outline of which systems are at high or low risk and presents information for both technical and nontechnical personnel. An RAF can be used as a risk mitigation tool by presenting consistent risk assessment and reporting methods. Common RAFs include the Risk Management Guide for Information Technology Systems from the National Institute of Standards and Technology (NIST); the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from Carnegie Mellon University; and Control Objectives for Information and Related Technology (COBIT) from the Information Systems Audit and Control Association (ISACA).
Along with having a keen understanding of internal needs and resources, external specialists can also be a beneficial part of a risk mitigation plan. Several BC and disaster recovery (DR) vendors focus on risk mitigation, and even smaller organizations can take advantage of DR as a service (DRaaS) vendors to keep costs relatively low.