The complete elimination of risks is usually an impossible task or one that is so impractical that it is not attempted. For this reason, risk mitigation is used to combat the impact of risks. Risk mitigation is the process of reducing risk to an acceptable level through controls and safeguards, which are implemented to protect against specific threats. Cost-effective approaches are used to apply appropriate methods of regulating the risk and decreasing its impact to an appropriate level. In other words, you deal with the risk in the best way possible with the least amount of cost.

How a potential threat is dealt with is largely dependent on the choices that are made after identifying the risk. As shown in Figure 5.2, there are a number of options for risk mitigation. The choices available are:

Figure 5.2: Risk Mitigation Options

• Assumption The risk is accepted and a decision is made to continuing operating or lower the likelihood and consequences of risks by implementing controls.

• Avoidance The risk is avoided by removing the cause or consequences of the risk.

• Limitation The risk is limited by applying safeguards to minimize its impact.

• Planning A plan is developed to prioritize, implement, and maintain safeguards.

• Transference The risk is transferred to another source, so that any loss can be compensated or the problem becomes that of another party.

• Research The vulnerability is acknowledged, but further research into controls to correct the vulnerability and lower the risk of loss is needed.