Why Mitigating Controls Are Just as Critical as Prevention

When most businesses talk about risk, the focus almost always falls on prevention. “We’ve got it under control,” leaders say, pointing to their policies, procedures, or engineered barriers. But what happens when those preventive controls fail?

That’s where mitigating controls step in. They are the reactive measures – the systems, processes, and resources you rely on when the unwanted event has already occurred. And too often, they are overlooked, underfunded, or completely absent.

The Levee Analogy: Lessons from Hurricane Katrina

A clear example lies in the devastating events of Hurricane Katrina in 2005. The engineered levees were designed as preventing controls – their purpose was to stop the water from breaching the city.

But when those levees broke, their role changed in an instant. They became the last line of defence, a critical mitigating control to contain further destruction. Unfortunately, weaknesses in design, maintenance, and oversight meant they were unable to fulfil that role. The result was catastrophic loss of life, displacement of communities, and billions in damage.

And even after the levees failed, mitigating controls should have swung into action. These included:

• Immediate evacuation planning to move residents out of danger zones.

• Search and rescue operations for those stranded in homes, hospitals, and public buildings.

• Distribution of provisions such as food, clean water, and medical supplies to displaced populations.

• A coordinated emergency response plan between government agencies, emergency services, and the military.

The reality was that many of these mitigating measures were slow, disorganised, or absent. Delayed evacuations, fragmented communication, and poor coordination meant the disaster escalated far beyond what it should have.

The lesson? Preventing controls are never enough on their own. No matter how confident you are in a barrier, an engineered system, or a piece of paper, you must always have robust mitigating measures in place – ready to activate immediately.

The Trap of “Paper Prevention”

In many industries, there is a strong belief that risk assessments, procedures, or compliance certificates equal control. Leaders convince themselves that because something has been written down, signed off, or ticked in an audit, the event is “inconceivable.”

This is dangerous thinking. Paper is not prevention.

When controls are unverified, dependent on memory, behaviour, or good intentions, they are weak. And when there is no governance or assurance wrapped around those controls, they will fail the moment stress is applied.

Real-world history is full of examples where this mindset has led to disaster:

• Piper Alpha Oil Rig Explosion (1988): A breakdown in communication and reliance on human memory led to a catastrophic failure. The industry had plenty of written procedures, but weak mitigating controls for fire and explosion meant the incident spiralled beyond recovery.

• Fukushima Nuclear Disaster (2011): Preventive measures focused heavily on earthquake risk. But the tsunami – an event still within the realm of possibility – overwhelmed systems. Mitigating controls, like backup power supplies, were not resilient enough to respond.

• Grenfell Tower Fire (2017): Layers of regulatory paperwork suggested fire safety was “under control.” Yet when the fire broke out, the absence of robust reactive measures – including evacuation procedures and effective fire suppression – meant lives were lost.

Each of these tragedies reveals the same truth: an overreliance on prevention, without considering what happens if it fails, is a blind spot that costs lives.

Why Mitigating Controls Are Often Ignored

Why do organisations continue to neglect mitigating controls?

• Ego and overconfidence: Leaders believe their prevention measures are unbreakable.

• Historical amnesia: Lessons from past events fade, and complacency sets in.

• Human dependency: Controls rely too heavily on individuals acting perfectly under stress.

• Cost cutting: Reactive systems are seen as “wasted spend” because they may never be used.

Mitigating controls are not optional. They are essential.

Building Resilience Through Dual Focus

Strong risk management means balancing both prevention and mitigation. Ask yourself:

• What if my primary controls fail tomorrow?

• How quickly can I detect the failure?

• What mitigating systems are in place to contain or reduce the damage?

• When were they last tested, verified, or audited under realistic conditions?

It is not about assuming failure will happen every time. It is about respecting the possibility that it could.

Prevention vs Mitigation in a Bowtie Diagram

If you’ve ever seen a bowtie risk diagram, you’ll know it’s a powerful way to visualise how risks are managed.

• On the left-hand side, you have preventive controls – barriers designed to stop the unwanted event from occurring in the first place.

• On the right-hand side, you have mitigating controls – barriers designed for recovery, to reduce the severity of consequences if the unwanted event still happens.

Take Hurricane Katrina as an example:

• Hazard: Extreme weather event (hurricane).

• Top Event: Levee failure leading to flooding.

• Preventive Controls: Engineered levees, pumping systems, flood barriers.

• Mitigating Controls: Mass evacuation, search and rescue operations, emergency shelters, medical response, food and water distribution, coordinated agency response.

In a perfect world, preventive controls always hold. But the reality is, they sometimes fail – whether through design flaws, human error, governance gaps, or simply the sheer force of nature. That’s why the right-hand side of the bowtie is just as critical.

Without effective mitigating controls, an incident can spiral from serious to catastrophic in minutes. The bowtie reminds us that resilience comes not from prevention alone, but from a balanced system where prevention and mitigation are equally strong, tested, and verified.

To learn more about Critical Risk Management, how to identify critical mitigating controls and develop robust assurance programs, visit our Critical Risk Management page.