Once the enterprise has identified a risk that can be mitigated, it becomes time to fix the problem. This should be a very disciplined activity because it was a lack of discipline the got you where you are in the first place.
I think mitigation must be approached on three fronts.
- You must know exactly what you’re doing now
- You must know exactly what you should be doing
- You must utilize “gap analysis” to get from what you’re doing now to what you should be doing
I have posted essays previously that describe all three of these activities. I won’t restate those thoughts here other than to reiterate my belief that the “gap analysis” approach offers the lowest risk strategy for attaining a successful remediation. Gap analysis keeps the remediation team focused on the essential repair and keeps them from wandering off to “fix” other things that may or may not be wrong.
Remember, there are two aspects of “gap analysis”. The aspect that is easy to grasp is that the gap should be filled by creating something new to satisfy a deficiency. The more subtle aspect is that something should be removed. For example, the work-around for a process requires that workers be given access to data for which they would otherwise have no need. The access is restricted because regulators require special handling of that data. The gap analysis should be focused on two ideas: redesigning the process to eliminate the need to grant access to the data or reinforcing the data security measures governing the process. The resulting candidate solutions would need to be subjected to a cost-benefit analysis to determine the correct course of action.