What is Risk mitigation?

Understanding Risk mitigation

Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. Risk mitigation is a risk treatment strategy where an organization implements security controls to reduce either the likelihood of a threat occurring or the potential impact if it does occur. This approach acknowledges the risk but takes action to reduce it to an acceptable level. Risk mitigation is defined in standards like ISO 31000 ISO 27001 NIST RMF and various regulatory frameworks. Organizations implement risk mitigation through control selection based on risk assessment layered defense strategies cost-benefit analysis and control effectiveness monitoring. For example to address the risk of unauthorized access to sensitive customer information a healthcare provider might implement a comprehensive mitigation strategy including multi-factor authentication data encryption access logging user activity monitoring and regular access reviews reducing both the likelihood of unauthorized access and the potential impact if it occurs. Related terms Security controls Defense in depth Risk reduction Control effectiveness Preventive controls Detective controls Corrective controls Layered security.