Mitigations are those actions that reduce either the impact or the likelihood of that risk coming to fruition. You can’t completely remove risk from your risk assessment, but you can mitigate it to a low enough risk that it is accepted by the companies executives. Your risk management plan should address who is the responsible parties for accepting risk; this is usually a Chief Executive who is NOT the CIO, CTO, or CSO.
Once you’ve identified each of your threats, vulnerabilities, risk statements, and risk scoring, it’s time to mitigate those risks. In the example of the competitors who want to disrupt operations and reduce consumer confidence, we might mitigate that risk with a firewall that reduces the exposure of the website to only required ports and make sure that administration functions are only available from within the internal system boundary. We might also consider applying patches at a frequency greater than monthly and applying less critical patches.
For the risk of flooding, we might consider a secondary redundant data center in another location that isn’t prone to flooding by the same event.
Consider the priorities and costs vs impacts of each of the risks to identify those that will be addressed and those that will be accepted as known risks by the company executives.
After a risk mitigation is identified and implemented it is fed back into the risk assessment as a compensating security control. This documents the security controls that are in place and allows for future risk assessments to consider the mitigation as well as it’s effectiveness.