Step 4: Plan and Manage Risk Mitigation Initiatives

Conduct risk remediation analysis, establish risk dispensation program, and plan and execute remediation actions.

In this phase, identified risks are analyzed, and strategies are developed to reduce or eliminate their potential impact. This includes effective resource allocation and the implementation of proactive measures to mitigate identified risks.

Conduct Risk Remediation Analysis

Depending on your organizational need and situation, you can either accept and monitor risks without immediate action, establish a risk dispensation program to temporarily accept specific risks, or actively plan to upgrade or remove outdated technologies from the environment. The ultimate goal is to ensure that all risks in the portfolio are either accepted or have a remediation plan in place, leaving no unaddressed or unplanned risks.

Go through each unaddressed risk based on their priority, and task the application owner with developing remediation plans for each risk. For instance, the plan could include upgrading to a new, supported version of the outdated IT component, or swapping it with a different IT component. Alternatively, it might involve migrating to an entirely different application. The action plan will depend on the application owner's assessment of what the organization needs to support its business capabilities. Typically, Project Management Office personnel will also be involved in planning, scheduling, and approving these remediation actions.


Best Practice

Make use of to-dos feature to task the application owner with developing remediation plans. To-dos offers an efficient collaboration method for managing tasks and responsibilities. To learn more, see To-Dos.

Capture Risk Remediation Decisions

The application owner collaborates with leadership and risk partners to determine whether to accept or address identified risks. Risks are categorized as accepted when the risk to the application is considered tolerable, despite its persistence. Risk acceptance decisions are influenced by various factors, including business criticality of application, absence of alternative IT components, budget constraints, operational limitations, or even a lack of time to schedule an outage to address the risk. When the risk to the application has been effectively mitigated or remediated the risks are categorized as addressed.

  • Ensure that the decision on Obsolescence Risk Status is maintained on the relation between the IT component and application fact sheets. Leverage surveys to determine from application and business owners whether the obsolescence risk status is accepted or requires addressing. When no data is recorded for this attribute, it will be interpreted and rolled up to the application as either Unaddressed Phase Out or Unaddressed End of Life in the obsolescence risk views of reports.

    Obsolescence Risk Status Field

    Obsolescence Risk Status Field

Establish Risk Dispensation Program

Establish a risk dispensation program to manage risks that cannot be promptly resolved. A risk dispensation formally documents the acceptance of a risk and sets a time for revisiting the risk for remediation or further acceptance. Key elements to be included in a risk dispensation document are:

  • CIO/CTO signature accepting the risk: this includes standard language identifying the risk and acknowledging C-Suite acceptance
  • Time and date of dispensation: documenting when the risk acceptance decision was made
  • Time and date to be revisited: specifying when the risk will be reviewed again, such as in 1 quarter, 6 months, etc.
  • Detailed description of the risk: providing a comprehensive explanation of the risk and why it cannot be immediately remediated



You can store relevant risk dispensation documents directly on the fact sheet. To learn how to attach files to fact sheets, see Store Resources on Fact Sheets.

During this period, risks are continuously monitored, and the decision to accept them is revisited at the end of the specified timeframe. Regular risk review meetings involving IT, business, and Global Risk and Compliance leadership are held to discuss the overall risk landscape. Changes in business or market dynamics typically influence the reclassification of accepted risks.

Alignment across teams is essential for smooth execution and fostering a shared understanding. Include reports and KPIs that offer insights into how risks are evolving over time and how they are being managed. Learn more about monitoring and reporting in Step 5: Monitor, Measure, and Report Risk Mitigation Efforts.


After completion of risk remediation analysis, you can leverage Architecture and Roadmap Planning to plan and structure risk management initiatives. It simplifies translating risk management plans into actionable IT initiatives and visualizes future impacts of these initiatives on organization's technical landscape. To know how it can be leveraged for obsolescence risk management, see Using Architecture and Roadmap Planning for Obsolescence Risk Management. To learn more about the Architecture and Roadmap Planning functionalities, see Architecture and Roadmap Planning.

Step-by-Step Guide