Part 1: Mitigation Strategies v2

From BCMpedia. A Wiki Glossary for Business Continuity Management (BCM) and Disaster Recovery (DR).
Jump to navigation Jump to search
BackBCM BCS.png
BCM Planning Methodology RS.jpg

Part 1: Mitigation Strategies

Part 1: Mitigation Strategies

This template is to be filled up by the Organisation BCM Coordinator to assess additional mitigation strategies against the identified threats with residual risks not fully mitigated in the RAR stage, as residual risks are more organisational relevant, thus should be treated at the organisational level.

Note that the text in italics serves as supporting instructions for participants attending and attempting BCM Institute's Blended Learning assignment

Threat (Col 2)

The name of each threat is identified in List of Threats in the RAR questionnaire. BCM Coordinators are to ensure that all the relevant threats of the high-risk level that have been highlighted in the RAR phase are represented here under the threat column.

Existing Controls (Col 3)

  • Controls are instruments or practices that are used to manage risk. All controls fall within one of the above 4 treatment options and served as an elaboration of the existing risk treatments. Existing Controls were defined in the RAR phaseand should be exactly the same as the ones there for each threat
  • Existing Controls are "Controls" that are already implemented within your organization to manage the identified risk. For example, if the fire is the threat, existing controls could include fire extinguishers, fire wardens, and an evacuation plan.

Risk Rating (Col 4)

  • Risk Rating is the result of the multiplication of the assigned value for Risk Likelihood against the assigned value of the Highest Risk Impact.
  • The result is the Risk Rating of an individual threat. Risk Rating was established in the RAR phase and should be exactly the same for each threat here

Risk Level (Col 5)

Risk Level is the overall level of assessed risk for an individual threat to the organization. Risk level was established in the RAR phase and should be exactly the same for each threat here.

Risk Treatment (Residual Risk) (Col 6)

BackBCM BCS.png
  • Risk Treatment (Residual Risk) refers to the additional mitigating measures that will be added on top of existing controls by the organization to handle recognized threats in order to reduce the threats to as minimal a risk as possible
  • 4 risk treatments are available to address the majority of the risks posed by threats

Additional Mitigation Strategies (Col 7)

Summary of Mitigation Strategies

A summary of the mitigation strategies that are being considered may include the following options:

  • Buy insurance (buy insurance is a preventive option, whilst claim insurance is a recovery option);
  • Install fire detection/suppression devices
  • Install monitoring and intruder detection devices
  • Implement safety protocols
  • Provide basic security awareness and training for staff
  • Move to higher ground or safer place
  • Outsource selected activities to the third party (while retaining accountability)

Additional Mitigation Strategies are additional measures in line with the risk Treatment added on top of existing controls and measures

Justification for Additional Mitigation Strategies (Col 8)

Mitigation Strategies Selected and Justification (Set of Criterion)

Which are the preferred preventive options and explain why were they selected over the other alternative. The considerations may include but are not limited to as below:

  • Build-out cost
  • Maintenance effort / cost
  • Availability of support personnel, high skill set and competency level'
  • Readiness of facilities and/or resources availability
  • Urgency or safety requirements
  • Elevated awareness
  • Risk avoidance or removal
  • Costs of prevention options vs. estimated benefits

Why is this strategy chosen? Why are these additional measures in place? What purpose do they serve in minimizing the occurrence or impact of the threat?

Instruction to BL-B-3/5 M2 Participant

This section is for Module 2 participants attending the BL-b-3 Module 2 Facilitated workshop, this is the additional instruction to complete your BC Strategy assignment.

  • Refer to the text of each of the sections within this page which are highlighted in italics for further explanation when attempting the Module 2 assignment.
  • Do note that this step is taken already during the RAR phase. The step is a requirement as part of the ISO22301 BCMS standard.


As threats are site-specific, if an organisation has business units operating in multiple sites, the Organisation BCM Coordinator shall perform this assessment for the respective site where they have a presence.