I was hoping to get some input/clarification on the two terms I’ve seen some people use interchangeably, but I’m pretty sure they mean two different things.
Risk Mitigation is putting controls in place to reduce or limit the adverse affects of risks, identified or likely to occur.
Risk treatment is after the risk assessment, where you look at the identified risks and create controls to…treat them.
So basically Mitigation is proactive approach that can basically be done anytime, while risk treatment is reactive, something that is done only during the risk assessment and after a risk has been identified.
I've always understood risk mitigation to itself be one of the four risk treatments. The other three treatments are accept, avoid, or transfer.
That too is my understanding.
In some circles, I have seen claims that "ignoring" or "denying" are additional treatments, but truly those are just cases of implicitly accepting risk. Read up on the Challenger's demise as a great example of NASA management implicitly accepting risk by denying the engineers' assessment.
