IJCA - Volume 2 - Flipbook - Page 39
2023 | Volume 2, Issue 1
may require more clarification to the interested
parties regarding what is expected for the plans. A
mitigation plan is a plan that:
A. Reduces the Likelihood of Occurrence of the risk
or
B. Reduces the Impact of the risk
or
C. Reduces both the Likelihood of Occurrence and
Impact of the risk
A mitigation plan is a plan that is instituted
immediately and is typically used to achieve A
through C before a risk evolves into a crisis.
A contingency plan is a plan that can be instituted
in case the specific risk evolves into a crisis and
typically reduces the Impact, or longevity of the
crisis, as it is too late at this point to reduce the
Likelihood of Occurrence.
To use terms familiar to the conformity assessment
industry, a mitigation plan can be considered
preventive action; whereas, a contingency plan can
be considered corrective action/correction.
Step 7: Combine and Select Proposed Mitigation/
Contingency Plans
Once responses to the latest query have been
received, like what was done with the risks during
step 2, mitigation and contingency plans should
be reviewed, analyzed, and combined where
appropriate. For example, for the same risk, two
similar mitigation plans may be proposed:
TABLE 6.
Risk
Loss of internet
connectivity
while traveling
Party A Proposed
Mitigation
Party B Proposed
Mitigation
Ensure air/ground
transport has
available Wi-Fi before
booking ticket
Carry cellular planbased internet
hotspot-capable
device
These two mitigation plans may be combined to
read: Ensure air/ground transport has available
and reliable Wi-Fi before booking ticket; if not or
if questionable, carry cellular plan-based internet
hotspot-capable device as backup. The combined
mitigation plan takes both suggestions and
increases their reduction to Likelihood of Occurrence
by providing a two-pronged response rather than a
single pronged response.
Once mitigation and contingency plans have
been reviewed, analyzed, and combined where
39
appropriate, decide on a final list of plans for each
risk to be presented to top management. There are
many different factors to consider when deciding
on a final list, for example: Is this mitigation/
contingency cost effective? Does either plan require
hiring of additional personnel? What is a tentative
timeframe for implementation of each plan? Does
each plan truly address the root cause of the risk, or
does it merely treat a symptom? It is expected that
different organizations may arrive at very different
criteria regarding feasibility of different mitigation/
contingency plans.
Step 8: Management Review to Decide on
Appropriate Mitigation/Contingency Plans,
Implementation, and Evaluation of Residual Risk
Top management should be engaged to decide
on which mitigation/contingency plans should
be implemented to treat each of the risks. This is
very commonly achieved through a risk discussion
during the already planned management review
meeting; however, this could certainly necessitate
an individual meeting in many cases as well. Once
management has selected the plans they wish to
implement, the organization then implements them.
As discussed previously, very rarely do mitigation
plans eliminate a risk entirely; instead, they reduce
either the Impact or Likelihood of Occurrence. This
means that even after implementing the plans,
residual risk exists. Depending on how successful
the implementation and execution of the plans
are, there may be the same or less residual risk. To
calculate residual risk, follow a very similar process
as was described for the initial information gathering
phase:
1. Circulate a list of the risks and a brief description
of the mitigation that was implemented.
2. Ask interested parties to consider the mitigation
and to re-enter revised values for Impact and
Likelihood of Occurrence.
3. Replot and re-run the IV for each of the risks to
arrive at the residual risk level.
4. If residual risk is acceptable, document the
justification for acceptability.
5. If residual risk is unacceptable, repeat the entire
exercise and attempt new mitigation measures
until such time that the residual risk is deemed
acceptable.
There should be visible movement of the risks on the
graph when they are replotted post-mitigation. For
