Resource Allocation for Mitigation

Mitigation requires resources — people, budget, tools, and time. Allocation decisions should be driven by mitigation ROI from the risk quantification practice. The mitigation with the highest risk-reduction-per-dollar ratio gets funded first. The mitigation with negative ROI — costing more than the risk it addresses — does not get funded unless mandated by regulation.

1. Budget Justification Use quantified risk data to justify the mitigation budget. "The top five risks have a combined expected annual loss of $1.8M. The proposed mitigation program costs $450K annually and reduces exposure by $1.2M. The program has a 2.7x ROI." That is a budget justification a CFO can approve.
2. People Allocation Map control implementation and operation to specific roles. Each control needs an implementer (who builds it) and an operator (who runs it). These may be the same person but the responsibilities are distinct. Unassigned controls are unimplemented controls.
3. Timeline Commitment Set realistic implementation timelines that account for the team's existing workload. A timeline that assumes 100% dedication to mitigation when the team has other responsibilities will slip. Build in buffer and review progress bi-weekly. [RECOMMEND]: Milestones with deliverables are more effective than end-date commitments alone.