Click the button to start reading
A Stitch in Time: How to Use Mitigating Controls in Project Planning
Do you keep an umbrella in the back seat of your car? That is such an awesome fix for those times when you pull into a parking lot just as it starts to pour.
But an umbrella certainly doesn’t stop rain from falling (if only!). It simply lessens its impact on you.
We face risks everywhere we go, and have all sorts of approaches for preventing and mitigating them.
And project management certainly is no exception.
Any experienced project manager knows that the best way to to launch a project is by putting all known risks on the table, with every stakeholder standing by. Next, the team sets itself up for success by creating a strategy to manage each and every risk.
Using mitigating controls is a critical part of this strategy.
The umbrella is an example of a mitigating control: it doesn’t prevent you from being caught in a rainstorm, but it eases the impact, should the unfortunate incident occur.
Let’s go over what a mitigating control is, and then look at how it fits into the wider context of risk management for project planning.
What is a Mitigating Control?
Before defining “mitigating control”, let’s break it down and first define the verb “mitigate.”
According to The Merriam Webster Dictionary, “mitigate” means to make less severe or harmful; to alleviate.
An umbrella mitigates the impact of a rainstorm; a boss might use soothing language to mitigate the delivery of disappointing news.
A mitigating control, then, has to do with lessening the severity of a threat after it occurs. It’s not about preventing the threat from happening in the first place.
When you implement a mitigating control into a project strategy, you act as though an asset has already been lost or threatened. The mitigating control, then, directly addresses the threat, not the asset.
Examples of Mitigating Controls
Let’s look at a few examples of how a company would use a mitigating control in the workplace or in project planning, in order to alleviate risk.
A Firewall
Every company has hordes of valuable information stored on its computers, all of which could be wiped out within minutes by a cyberattack. A mitigating control against this terrifying threat would be installing a firewall to block viruses and untrusted networks from accessing the company’s servers.
A Succession Plan
A skilled team is probably the most important asset to any project. Losing any number of team members poses a risk to a project’s successful completion. A good succession plan is a mitigating control to alleviate some of this risk. This way, the company is ready in the event of an unexpected absence or departure.
An Emergency Budget
A successful project certainly needs to deliver a quality product to the client. This deliverable is dependent on highly skilled labor. If some team members aren’t sufficiently skilled, however, it means the delivery of a sloppy or subpar product. One way to mitigate this risk would be to set aside a portion of the budget in the event that some work is scrapped and has to be re-done.
As you can see, a mitigating control has to do with putting a plan into place for when a threatening event transpires. It’s not about preventing this threat from happening in the first place.
Mitigating Controls Within Risk Management
Mitigating controls are only one aspect of managing risk. Let’s look at some other methods of risk management, to see how it fits into the entire strategy.
Asset Protection
In addition to creating a “how do we back out of a dead-end” plan, it’s also necessary for a project to include strategies for not ending up at the dead-end to begin with.
For example, in order to retain a good team, a project manager can promise a bonus or another incentive to every one who stays on board with a project through its completion.
And in order to hire a skilled team of freelancers and contractors, a manager can have criteria for vetting potential hires, including reviewing previous work and soliciting references.
Compensating Controls
Risk management oftentimes requires additional resources, and sometimes these resources simply aren’t available. In these instances, it’s necessary to use something called compensating controls.
A compensating control is additional surveillance or protocol when a project doesn’t have proper segregation of duties.
Let’s look at an example. In an ideal scenario, a programming team passes on its code to another team for testing and peer review. However, when this second team doesn’t exist, the same team must test its own code. In order to lessen the risk of defects, a company would then use a compensating control, such as an additional management review of the code.
In essence, a compensating control is making up for a weak link in segregation of duties. Some other examples of compensating controls include second signatures on important documents, and detailed independent reviews of transactions.
In sum, a good project risk strategy not only includes mitigating controls, but also has compensating controls, as well as a plan for protecting assets in the first place.
Softening the Blow
Without a proper risk-assessment strategy, a project is sure to hit an impasse that prevents its completion.
A mitigating control is an important part of this strategy. It’s all about having a plan in place to soften the blow of an external threat.
We employ mitigating controls in our life all the time. Having some gas in the car if you’re ever stuck on the road with an empty tank, and using euphemisms when delivering bad news are two everyday methods for lessening the severity of a rough situation.
In addition to using mitigating controls, a comprehensive risk management strategy also uses compensating controls and asset protection.
This sort of “no strike out” risk management plan not only keeps the curve balls and fastballs from coming at you, but it allows you to make a hit, or at worst foul, every single time.