LR-301g · Module 2

Mitigation ROI Analysis

3 min read

Every mitigation investment should be justified by the risk reduction it produces. Quantification enables ROI analysis for risk mitigation: the mitigation costs $X per year, it reduces the expected annual loss by $Y, and the ROI is (Y-X)/X. If the ROI is positive, the investment is justified. If it is negative, the mitigation costs more than the risk it addresses.

Do This

Quantify risk before and after proposed mitigation — the delta is the risk reduction value
Compare mitigation cost against risk reduction value — the comparison is the business case
Prioritize mitigations by ROI — the highest-ROI mitigations should be funded first

Avoid This

Invest in mitigation without quantifying the risk reduction — you cannot measure what you do not quantify
Fund mitigations based on fear rather than analysis — fear overestimates dramatic risks and underestimates mundane ones
Assume all mitigation is worthwhile — some mitigations cost more than the risk they address and should be declined