Risk control and risk mitigation are two distinct project risk management actions. Risk control reduces the probability of a risk event occurring. Risk mitigation reduces the impact of a risk event once it has occurred. Project managers must apply both: control actions to prevent risks, and mitigation actions to limit damage when risks materialise.
Defined Terms
Risk Control
Definition: Actions taken to eliminate, prevent, or reduce the probability that a risk event will occur.
Also known as: Risk prevention, probability reduction, preventive action
Category: Risk management / risk treatment
Authority: Institute of Risk Management (IRM)
Risk Mitigation
Definition: Actions taken to reduce or limit the impact or consequence of a risk event after it has occurred.
Also known as: Impact reduction, consequence management, contingency action
Category: Risk management / risk treatment
Authority: Institute of Risk Management (IRM)
What Is the Difference Between Risk Control and Risk Mitigation?
Risk control targets likelihood; risk mitigation targets impact. This distinction comes directly from Institute of Risk Management guidance, which defines control actions as probability-reducing and mitigation actions as impact-reducing.
Consider succession planning for a key team member. Planning who would replace a senior engineer, before they leave, is a mitigation action: it reduces the impact of their departure. Actively working to retain that engineer (salary review, engagement initiatives) is a control action: it reduces the probability of them leaving in the first place.
Both action types work together. Control reduces the likelihood of a risk event occurring. Mitigation limits the damage when it does occur.
Risk Control vs Risk Mitigation: Comparison Table
| Attribute | Risk Control | Risk Mitigation |
| Targets | Probability / likelihood | Impact / consequence |
| Timing | Before the risk event occurs | Activated when risk event occurs |
| Goal | Prevent or reduce occurrence | Limit damage or maximise opportunity |
| IRM classification | Control action | Mitigation action |
| Car example | Regular brake inspection to avoid accident | Airbag deploys to reduce injury in crash |
| Best for | Reducing risk likelihood before impact | Reducing severity once risk materialises |
How Does Risk Control Work?
Risk control actions are implemented before a risk event occurs. They target the probability side of the risk equation: likelihood x impact = risk exposure.
Risk Control Examples (Project Context)
- Regular equipment inspection to reduce the likelihood of mechanical failure on a construction site
- Contractual lock-in clauses to reduce the probability of key suppliers withdrawing from a project
- Cross-training team members so that the likelihood of knowledge loss is reduced if one person leaves
- Phased approval gates to reduce the probability of scope creep progressing undetected
Risk Control Examples (General — Car Analogy)
- Correct inspection and maintenance of the car reduces the likelihood of mechanical failures such as brake failure, lowering the probability of an accident
- Reducing travelling speed gives additional thinking time and lessens the probability of being involved in an accident
How Does Risk Mitigation Work?
Risk mitigation actions are designed to take effect during or after a risk event. They address the impact side of the risk equation and form part of a project’s contingency planning.
Risk Mitigation Examples (Project Context)
- A documented succession plan for senior team members reduces the impact of an unexpected departure
- Financial contingency reserves limit the impact of cost overruns on overall project viability
- A pre-agreed escalation procedure reduces the impact of stakeholder disputes by resolving them quickly
- Backup suppliers identified in advance reduce the impact of a primary supplier failure
Risk Mitigation Examples (General — Car Analogy)
- Crumple zones are built into car design to reduce the impact of a collision on the driver and passenger compartment
- Airbags deploy on impact to reduce the physical effect of an accident on passengers and driver
How to Apply Risk Control and Mitigation in Project Management
Step 1: Identify the Risk Event
Document the specific risk event, including whether it is a threat (negative) or an opportunity (positive). Record it in the project risk register.
Step 2: Assess Likelihood and Impact
Score the risk event for probability and impact using the project’s risk matrix. This determines the current risk exposure before any action is taken.
Step 3: Define Control Actions
Identify actions that will reduce the probability of the risk event occurring. Assign an owner and a deadline for each control action.
Step 4: Define Mitigation Actions
Identify actions that will reduce the impact if the risk event occurs. These may include contingency plans, fallback resources, or pre-agreed escalation paths.
Step 5: Reassess Residual Risk
After applying control and mitigation actions, reassess the likelihood and impact. The resulting score is the residual risk. If still unacceptable, add further actions or escalate.
Step 6: Monitor and Review
Review risk control and mitigation actions at every project progress meeting. Update the risk register when actions are completed, when status changes, or when new risks are identified.
Key Facts: Risk Control and Risk Mitigation
- IRM definition: The Institute of Risk Management defines control actions as probability-reducing and mitigation actions as impact-reducing
- Risk equation: Risk exposure = likelihood x impact. Control reduces likelihood; mitigation reduces impact
- Both types are required: A project risk register should include separate fields for control actions and mitigation actions for each identified risk
- Applies to threats and opportunities: Control and mitigation apply to both negative risks (threats) and positive risks (opportunities). For opportunities, control increases probability; mitigation increases impact
Contingency plans: Mitigation actions form the foundation of contingency planning — the pre-defined response when a risk event materialises
Frequently Asked Questions
What is the difference between risk control and risk mitigation?
Risk control reduces the probability that a risk event will occur. Risk mitigation reduces the impact or consequence of a risk event once it has occurred. The Institute of Risk Management distinguishes clearly between the two: control relates to likelihood; mitigation relates to impact.
Can a single action be both a control and a mitigation?
No. A single action either targets probability or impact, not both. Succession planning is a mitigation action (reducing impact of departure) not a control action. If you want a control action, you would instead work to reduce the probability of the departure happening.
What is a residual risk?
Residual risk is the remaining level of risk exposure after control and mitigation actions have been applied. It is calculated by reassessing likelihood and impact following implementation of the agreed actions.
Do risk control and mitigation apply to opportunities as well as threats?
Yes. For a positive risk (opportunity), a control action increases the probability of the opportunity occurring. A mitigation action increases the impact or benefit if the opportunity does materialise.
What should a project risk register include for each risk?
A complete risk register entry should include: the risk event description, initial likelihood and impact scores, assigned control actions with owners and deadlines, assigned mitigation actions with owners and deadlines, residual risk score, and a contingency plan trigger if applicable.
Why do project managers confuse risk control with risk mitigation?
Because both are ‘risk actions’ and the difference is conceptual rather than procedural. Without formal guidance (such as IRM definitions), project managers often group all risk actions together, reducing the precision of risk registers and potentially leaving gaps in either probability reduction or impact reduction.
