ONCE THE RISK ASSESSMENT IS COMPLETE and approved, the next step is to create a risk mitigation plan. This plan will implement the approved countermeasures. If much time has passed since the risk assessment was completed, you may have to check some of the findings to ensure they are still valid. For example, some threats or vulnerabilities may have disappeared.

A significant part of the risk mitigation plan is the identification of costs. Ideally, the risk assessment will already have identified the costs, but some hidden costs may have been overlooked. If you discover additional costs, you'll need to recalculate the cost-benefit analysis. Lastly, it's important to follow up on ...