CHAPTER 10Risk Mitigation


In the International Organization for Standardization (ISO) vocabulary, risk mitigation is defined by the four Ts: Tolerate, Treat, Transfer, Terminate. Tolerate means accepting the risk as it is. Treat refers to internal controls, aimed at reducing either the likelihood or the impact of a risk (or both); it is the most common form of risk mitigation. Transfer means to move the consequence – or the causes – of a risk to another party, typically an insurer or a third‐party supplier. Terminate means to remove risk exposure altogether, when none of the other options is acceptable. This chapter concentrates on the two most common mitigation solutions: internal controls and risk transfers.


There are many different classifications for controls. Given my background in internal audit, I tend to adopt the following simple classification used by the Institute of Internal Auditors (IIA):1 preventive, detective, corrective and directive controls.

The aim of preventive controls is obviously to reduce the likelihood of an event happening. The controls are executed before possible events and address their causes. A car seat belt is an example of a preventive control in everyday life, while the segregation of duties, where different people are in charge of initiating, approving and settling a transaction, is probably the most common and effective preventive control for internal fraud.

Detective controls take place during or just after ...

Get Operational Risk Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.