ReadyToManage Webstore

Risk Management

How Do You Manage or Mitigate Risk?

April 9, 2013 by Dr. Jon Warner in Risk Management

How Do You Manage or Mitigate Risk?

Once workplace risks have been identified and assessed, all potential options or techniques to manage each risk falls into one or more of these four major categories:

A. Avoidance (Terminating the risk)
B. Transfer (Transferring the risk)
C. Mitigation (Treating the risk)
D. Acceptance (Tolerating the risk)

Let’s therefore look a little more closely at each of these options.

A. Avoidance (Terminating the risk)

The best risk management strategy of all is avoidance or elimination, so we should invest the most effort into investigating this option wherever possible. Avoidance usually means not doing a task or project at all in the future but it can also mean redesigning work or a process so that the risky step no longer has to be taken.

In reality avoidance is often much more possible than many people think because many risks are “introduced” by particular decisions and can be “un-introduced” or removed by different decisions (especially if the leader or manager who introduced the risk is the one responsible for making the decision to avoid the risk).

Avoidance or elimination strategies includes the option of not performing an activity that could carry risk at all. An example would be not buying a property or business in order to not take on the liability that comes with it. Another would be not flying in order to avoid the risk of being on-board if the airplane was hijacked.

Avoidance may appear to be the best solution to all risks. However, avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Equally not flying means either not getting to your destination (if you stay home) or having to choose another mode of travel (which may have different risks to consider).

B. Transfer (Transferring the risk)

Transfer is not always available to the manager as an option but after looking at avoidance strategies this may be the next best choice.

Transfer means causing another party to accept the risk, typically by contract or by hedging. Insurance is one type of risk transfer that uses contracts. Other times it may involve contract language that transfers a risk to another party without the payment of an insurance premium. Liability among construction or other contractors is often transferred this way. Another example would be taking offsetting positions in derivative securities. This is typically how brokerage firms or fund managers use hedging for financial risk management.

Some of the ways in which risk is potentially transferred falls into several categories. Risk retention pools are technically retaining the risk for all participations, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group. In many ways, transfer may sound simply like ‘passing on’ the risk to someone else to tackle. However, if another party or a group of people or even a different enterprise can manage a specific risk better than we can, it is a legitimate option to pursue.

C. Mitigation (Treating the risk)

Mitigation (or treating/lessening the risk in some way) is essentially concerned with lessening the impact that a particular risk might have. In considering this strategy, we have usually accepted that the risk cannot be readily avoided or transferred and are therefore now only trying to keep the expected loss or damage to acceptable levels.

Of course, “acceptable” is a subjective term and has to do with how much risk the organization may be comfortable in taking from task to task or project to project. However, in all cases, the aim is to either lower or increase the likelihood (depending upon whether the risk is positive and negative) and/or decrease or increase the impact.

In most cases, mitigation involves achieving a reduction of the risk impact. This means that our mitigation strategies should either reduce the probability that the risk will occur or lessen the overall severity (damage or loss) experienced when it happens. For example, I can potentially lower my need to go for medical checks for high blood pressure but changing my diet and exercising more (and thereby lower the possibility of having a heart attack and the severity of it if it does occur).

D. Acceptance (Tolerating the risk)

Risk Retention or tolerance is the level of risk an organization is willing to accept in order to achieve its business goals or objectives. Every individual and every organization has a different level of risk tolerance (often called its risk appetite), with corporate culture and values being a primary driver behind acceptable tolerance levels. For instance, the nuclear industry may have a very conservative, low risk tolerance culture for everything that it does (and often spends a lot of time and money on risk management –and safety measures). An advertising agency, on the other hand, may have a very high risk tolerance culture and therefore is willing to make “riskier” decisions about a lot of things it does.

Risk tolerance then is the result of making a deliberate decision to endure the consequences of an event should it occur. Tolerance of the risk can take one of two forms, passive and active.

Passive acceptance occurs when no action is taken to resolve the risk, cope with it, or otherwise manage it.

With active acceptance, action is taken to manage the impact of the event should the event occur. In these circumstances, contingency or fallback plans are followed only when the event occurs.

Risk tolerance is the lowest form of control, in as much as it is typically only a good choice when all other strategies are not viable. As such we either live with the risk and its loss consequences or we use the only available protection we can as a barrier or final line of defense.

A good example of this is in the area of noise. In some industries, old equipment is too expensive to replace immediately so the noise risk (and damage to potential hearing) is tolerated (by both regulatory authorities and the management team in an organization). The best and only form of defense against the risk in these circumstances is in personal protective equipment (PPE) like ear plugs (although they may not work completely in long periods of exposure).

Hence, risk tolerance is finally a matter of choice for the organization, but such choices should always be made wisely and based on the circumstances faced at a given time (e.g. it may be tolerable risk now but is this going to be the case 6 or 12 months from now)?

Risk Management – A summary example

So let’s put what we have learned together now and look at one particular risk and how it may be treated according to all four management strategies.  In the example below, a cheap but not standard part has been used in a lathe in a factory or manufacturing plant.

Avoid, Transfer, Mitigate, Accept

As the table suggests we can avoid the risk of the part being both cheap and non-standard by using a standard part (easier to get spares) and pay more for it so that it is more reliable (a sort of insurance if you like).

We can also transfer the risk by making sure that our insurance policy covers the risk of failure of this part-this may cost an extra premium but maybe not as much as bearing the whole cost ourselves.

We can also mitigate or lessen the risk by periodically checking for wear on this part so that when it is close to failure we can buy a replacement and suffer less downtime perhaps.

Finally, we can accept or tolerate the risk by taking the chance that the part will not fail (or not cost of us much if and when it does). After all, we probably bought the spare part to save money and take extra risk in doing so.

Ultimately, then, we way we manage risks always presents us with a choice, with the default position being doing nothing at all (accepting the risk both deliberately and sometimes accidently because we are not aware of it in the first place). How far we then go upon the risk management hierarchy will be a function of how we want to manage the likelihood of a given risk occurring and the impact on individuals or our business if it does.

Related Resources

Share this article.

About Dr. Jon Warner

Dr. Jon Warner is a prolific author, management consultant and executive coach with over 25 years experience. He has an MBA and a PhD in Organizational Psychology. Jon can be reached at

View all posts by Dr. Jon Warner →

Related Posts

Shop the ReadyToManage Webstore for 100's of downloadable coaching, training and development resources!

One Comment

  1. Marcus LangAugust 18, 2016 at 9:20 am

    thanks – good Explanation. There is one Action though that is missing: exploit. That is, if a risk can be changed to an opportunity or is an opportunity itself.

About the Editor and Primary Author

Jon Warner

Jon Warner is an executive coach and management consultant and in the past has been a CEO in three very different companies. Read more

Newsletter Subscribe

ReadyToManage Webstore Close-Out Sale


ReadyToManage is your one-stop shop for world class employee and personal development resources.  Our mission is to assist individuals and companies in developing management, leadership, and business skills in themselves and their employees through effective and affordable development materials and courses.

Newsletter Subscribe

Join Now!

Search Topics