The following list identifies several best practices that can be followed when enabling a risk mitigation plan from a risk assessment:

• Staying within the scope—The mitigation plan is derived from the risk assessment, which means the scope of the mitigation plan should not go outside the scope of the risk assessment. If the scope isn’t managed, then the costs can easily get out of control.
• Redoing CBAs if new costs are identified—Completing a cost-benefit analysis for a countermeasure is commonly part of the risk assessment. If additional costs are identified later, then the CBA will need to be redone with the accurate costs.
• Prioritizing countermeasures—Countermeasures should be prioritized based on their importance. A common way to identify the priority of countermeasures is to score them with a threat likelihood/impact matrix; the high-priority countermeasures should be implemented first.
• Including current countermeasures in analysis—When scoring countermeasures, the current countermeasures must be considered. For example, a threat may have a high impact, but an in-place countermeasure has reduced it to a low impact. When evaluating a threat, the in-place countermeasure should be considered and a low impact assigned to the threat.
• Controlling costs—Costs should stay within the allocated budget. Any change in the costs can affect the CBA. If additional costs are too high, the value of the countermeasure may be significantly reduced.
• Controlling the schedule—Costs frequently go up when the schedule is delayed, and the longer the implementation is delayed, the longer the organization remains at risk.
• Following up—Approved countermeasures should be checked to be sure they have been implemented and that they have mitigated the risk as expected.