Risk mitigation is the plan of specific actions your organisation will take following completion of the risk assessment. Your mitigation measures or actions should focus on the threats specific to your organisation’s critical assets, taking into account the amount of risk you are willing to accept.
Ensure your risk mitigation measures cover personnel, cyber/ information and physical security, and that you are clear about how these actions will reduce risk. You will need to address the following questions:
- Who owns your risk mitigation measures information? How often is it reviewed and updated?
- Do your mitigation measures document the tasks that will be required to manage threats and the individuals that will be responsible for these tasks?
- How are your mitigation measures communicated to key staff, contacts and stakeholders?
- Do your measures include timescales for business recovery and required resources? Do they keep pace with technological advances?
NPSA guidance and information is available via the links below:
- Operational Requirements - makes recommendations to help you manage security risk
- Risk Assessment - guidance to help identify vulnerabilities and the potential impact of exploitation
- HoMER (Holistic Management of Employee Risk) – guidance to help mitigate people risk
