What is mitigation?

Mitigation is the action or actions your organization takes to reduce a risk from actually happening. If you choose to mitigate a risk, you need to provide a mitigation percentage for each control linked to the risk. Essentially, you’re stating that you want to mitigate “this much of the risk” by using the control. Note that the mitigation percentage can be a whole number or a number with up to two decimals.

For example, 30% mitigation on a control reduces the risk by 30%. The amount mitigated will be reduced when the control is At risk (by half) or Critical (completely; the applied mitigation will be 0% despite whatever percentage was entered until the risk is no longer in this state).

What if there is no mitigation?

If there’s no mitigation, then the Inherent risk and the Residual risk will be exactly the same. In the diagram below, that’s the same as 0% (which will give you 25 x 1 = 25).