Risk Mitigation Plan

A Risk Mitigation Plan is the set of specific actions that will be taken to reduce the probability that a risk materialises, reduce the impact if it does, or both. Good mitigation plans are concrete ("commission ground investigation on the Section B alignment by end Q2") rather than aspirational ("actively manage ground conditions risk"), owned by a named individual with the authority to deliver them, and tracked for completion on the same cadence as the risk register they belong to.

Mitigation planning is where many risk registers fail in practice. A register that lists fifty risks with fifty plausible impacts, but mitigation columns full of phrases like "monitor closely" or "escalate as required", is a register that is not driving any actual change in the programme's exposure profile. The test of a real mitigation plan is whether, if a reviewer audited the programme against the register in three months' time, the actions would have been completed and the risk status would have measurably moved as a result.

The relationship between mitigation planning and QRA is often under-managed. In principle, as mitigation actions complete, the corresponding risk probability or impact in the QRA model should reduce, and the confidence position should improve. In practice, QRA models are often re-run with the same risk inputs regardless of mitigation progress, producing a confidence position that ignores months of delivery team effort. A live QRA model paired with a live risk register and a live mitigation action log is the mark of a controls function that is operating as an intelligence capability rather than a reporting function.