Risk mitigation
Mitigation is the action or actions your organization takes to reduce a risk from actually happening. If you choose to mitigate a risk, you need to provide a mitigation percentage for each control linked to the risk. Essentially, you’re stating that you want to mitigate “this much of the risk” by using the control.
For example, 30% mitigation on a control reduces the risk by 30%. The amount mitigated will be reduced when the control is At risk (by half) or Critical (completely; the applied mitigation will be 0% despite whatever percentage was entered until the risk is no longer in this state).
How mitigation works in Hyperproof
Hyperproof allows you to specify a likelihood mitigation percentage and an impact mitigation percentage. The mitigation percentage for each option can be a whole number or a number with up to two decimals, and must not exceed 100 percent. A control can be a linked to multiple risks and have different mitigation factors for each.
Likelihood mitigation - The percentage of the control that goes towards preventing a negative outcome from occurring.
Impact mitigation - The percentage of the control that goes towards reducing the impact of a negative outcome.
What if there is no mitigation?
The mitigation percentage for a linked control can be 0%, which poses no effect on the overall risk score. If there’s no mitigation, then the inherent risk and the residual risk will be exactly the same.
