What is Risk Mitigation?
If we look at the definition of risk we notice that definitions 3a, 3b, and 3c all deal with insurance and potential losses to insurers. Understanding this link between risk and insurance is essential in formulating a workable definition for risk mitigation: risk mitigation is the purchase of insurance against a possible future loss. This definition, though concise, embodies significant complexity.
Risk Mitigation Can Be Optional
Except in cases where insurance is legally required (e.g., auto insurance) or when a third party requires it for protection against loss (e.g., a lender requiring fire insurance on a house) the purchase of insurance is optional. If you believe that the likelihood of an adverse event is small enough, or that the consequential loss is small enough, you may choose to forego insurance. The same is true for risk mitigation. It may be desirable to insure against possible future events, but unless it is mandated program management has the option to forego risk mitigation. In particular, risk mitigation must be viewed as an activity that is outside the normal scope of program activity. Put another way, if normal business practices will eliminate the possibility of an adverse event, or reduce to an acceptable level the cost of an adverse event, then such an event is not a risk, and the practices mentioned are not risk mitigation.
Risk Mitigation Must Be Economical
Nobody would pay $200,000 to insure a home and its contents valued at $100,000. The homeowner must engage in some sort of cost/benefit analysis to determine the maximum amount he is willing to pay for insurance. The same is true for risk mitigation. Program management must perform a cost/benefit analysis to determine the acceptable limits on the cost of risk mitigation. This requires that program management have an accurate assessment of the probability that a loss could occur, and an accurate assessment of the total cost of such a loss.
Risk Mitigation May Lead To Unnecessary Costs
If an owner purchases auto insurance and is never involved in an accident, he can view the cost of the insurance, in retrospect, as an unnecessary cost: he spent money to insure against a loss that never occurred. If the owner is involved in numerous accidents, however, he can view the cost of the insurance, in retrospect, as a sound investment. The same is true for risk mitigation. First, risk mitigation will involve a potentially unnecessary cost. Second, if the risk event that is being mitigated never occurs, the cost will prove to have been unnecessary. Third, if the risk event does occur, the cost of the mitigation will prove to have been a sound investment. And fourth, the final analysis of whether the cost was unnecessary or was a sound investment can only be made in retrospect. Program management must be aware that the costs of risk mitigation may prove to have been unnecessary, and must be able to accept that understanding as a sound business decision.
Risk Mitigation Is Unusual
This is a restatement of a point made in the section about risk mitigation being optional, but the point is sufficiently important that the repetition is warranted. Normal engineering practices, normal manufacturing practices, normal testing practices—in short, all normal business practices—are not, by definition, risk mitigation. If these practices will eliminate the possibility of future events occurring, or will limit the consequences of future events to acceptable outcomes, then those future events are not properly classified as risks. If an uncertain future event is properly classified as a risk, then the mitigation must be an undertaking that is outside normal business practices.