• Enterprise Risk Management
  • Insights
  • Higher Ed
  • K-12

Strategies to Treat and Mitigate Risks Effectively

Liza Kabanova, Esq.
March 2021
Practical guidance for implementing Step 3 of the ERM process

Once your institution has selected which institutional risks it will tackle this year in Step 2 of the enterprise risk management (ERM) process, manage them collaboratively in Step 3.

Your ERM committee might start by assigning risk owners to oversee risk management efforts for each institutional risk. The committee will work with risk owners to set goals and track progress. The risk owner will further break down the institutional risk into more manageable sub-risks, tasks, or projects and assign task owners to oversee those more specific risk management efforts.

The risk owner is also responsible for tracking all efforts related to this risk in a risk treatment plan and will share this plan and status updates with the committee chair regularly. Ultimately, the ERM committee chair will compile the information from all risk owners for incorporation in the Step 4: Risk Summary Report.

To bring this step to life, consider the following example: An institution identifies workplace harassment as an institutional risk. As a result, the committee assigns the Human Resources (HR) Director as the risk owner to set goals and identify specific tasks or projects to enable managing this risk or perhaps start a workplace harassment working group to ensure a cross-functional approach. The HR Director assigns additional task owners to implement these specific strategies, like establishing a policy, facilitating training, or purchasing additional insurance. The HR Director also tracks all efforts related to this risk in a risk treatment plan and regularly shares this plan and status updates with the ERM committee.

To succeed, the ERM committee and risk and task owners must understand the options available for managing risks, which include risk treatment and mitigation strategies.

Select Risk Treatment Strategies

Risk owners should determine which treatment strategies apply, such as whether to avoid, transfer, mitigate, accept, and/or exploit a risk.

Consider the following strategies:

  • Avoid: Reject the risk.
  • Transfer: Shift responsibility to another party, such as through contracting or insurance.
  • Mitigate: Implement measures to reduce the risk.
  • Accept: Take no further action and agree to the consequences of the risk occurring.
  • Exploit: Pursue opportunities related to this risk.

You may combine these strategies. For example, for study abroad programs, your K-12 school, college, or university may transfer a portion of the risk to a third-party transportation vendor with a contract and third-party insurance, and also may mitigate risks by crafting safety policies and training faculty and students. Your institution also may exploit opportunities related to this risk through a marketing strategy given that the unique nature or location of study abroad programs may attract students to your institution.

Select Risk Mitigation Strategies

Next, risk owners will work with task owners to identify and lead more concrete risk mitigation strategies, such as updating policies or overseeing training efforts.

Consider these risk mitigation strategies:



Policies and Procedures

Student and employee handbooks, grievance complaint procedures, safety standards, and investigation policies



Training, awareness campaigns and posters, updated job descriptions and responsibilities, personnel experience, expertise, and time


Facility upgrades, new equipment, maintenance schedules, and inspections


Incident reporting and tracking, reference checks, contracting, insurance, or technology platforms


Lockdown testing, evacuation drills, crisis response, and tabletop exercises


By combining risk mitigation strategies, you ensure they will be most effective.

For example, the Counseling Services Director overseeing the institutional risk of student mental health also might be the task owner for implementing a wellness initiative and training. The director may assign general counsel to implement a telehealth process and may partner with Communications and Admissions to communicate about your institution’s wellness goals to manage prospective student and parents’ expectations.

Define Goals, Set Deadlines, and Share Status Updates

Throughout the year, risk owners should define goals and set deadlines for all risk strategies. Additionally, risk owners are responsible for reporting status updates, progress, and next steps to the ERM committee.

Continue onto UE’s blog Report on Risks to Set Goals, Gain Buy-In, and Document Efforts or use our ERM Process Tracker to track risk management efforts. View UE’s vast library of risk management resources to inform your risk treatment and mitigation plans, including some suggested resources below to assist leaders with implementing policies, training and other activities for some institutional risks institutions may face.

Additional Resources

Added to My Favorites

This content was added to My Favorites.

1 of 3 documents are ready for download

The document "Long document name goes right here" is ready. Downloads expire after 14 days. Your remaining documents will be ready in a few minutes. Lorem ipsum dolor, sit amet consectetur adipisicing elit. Quod deserunt temporibus qui nostrum aliquid error cupiditate praesentium! In, voluptatibus minima?

Go to the Document Center