Mitigation Strategies

Every risk has four possible responses: avoid, mitigate, transfer, or accept. The choice depends on the risk score, the cost of each response, and the business context. Most organizations default to mitigation for everything, which is neither efficient nor necessary. A risk that can be avoided through a design change is cheaper to avoid than to mitigate. A risk that can be transferred through insurance or contractual allocation is cheaper to transfer than to monitor.

1. Avoid Eliminate the risk by not doing the thing that creates it. If an AI use case creates unacceptable regulatory risk, do not deploy that use case. Avoidance is the most effective mitigation and the one most organizations resist because it feels like giving something up. It is. What you give up is the risk.
2. Mitigate Reduce the probability or impact of the risk through controls. Human oversight reduces the probability of AI errors reaching end users. Testing protocols reduce the probability of biased outputs. Incident response plans reduce the impact of system failures. Mitigation does not eliminate risk — it reduces it to an acceptable level.
3. Transfer Shift the financial exposure to another party. Insurance transfers financial risk to the insurer. Contractual indemnification transfers liability to the party best positioned to control the risk. Transfer does not eliminate the risk event — it changes who bears the cost.
4. Accept Acknowledge the risk and proceed without additional controls. Acceptance is appropriate when the expected loss is low, the cost of mitigation exceeds the expected loss, or the risk is inherent to a strategic opportunity. Acceptance must be documented, explicit, and approved by the appropriate authority. Undocumented acceptance is not acceptance — it is ignorance.