is the identification, assessment, and prioritization of
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events.
Risks can come from uncertainty in
financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and
disasters as well as deliberate attacks from an adversary. Several risk management standards
have been developed including the
Project Management Institute
National Institute of
Science and Technology
, actuarial societies, and ISO standards.
Methods, definitions and
goals vary widely according to whether the risk management method is in the context of
project management, security, engineering, industrial processes, financial portfolios, actuarial
assessments, or public health and safety.
For the most part, these methodologies consist of the following elements, performed, more or
less, in the following order.
identify, characterize, and assess threats
assess the vulnerability of critical assets to specific threats
determine the risk (i.e. the expected consequences of specific types of attacks on
identify ways to reduce those risks
prioritize risk reduction measures based on a strategy
The strategies to manage risk include transferring the risk to another party, avoiding the risk,
reducing the negative effect of the risk, and accepting some or all of the consequences of a
This section provides an introduction to the principles of risk management. The vocabulary of
risk management is defined in ISO Guide 73, "Risk management. Vocabulary"
In ideal risk management, a prioritization process is followed whereby the risks with the
greatest loss and the greatest
of occurring are handled first, and risks with lower
probability of occurrence and lower loss are handled in descending order. In practice the
process can be very difficult, and balancing between risks with a high probability of
occurrence but lower loss versus a risk with high loss but lower probability of occurrence can
often be mishandled.
Intangible risk management identifies a new type of a
that has a 100% probability of
occurring but is ignored by the organization due to a lack of identification ability. For
example, when deficient knowledge is applied to a situation, a
Relationship risk appears when ineffective collaboration occurs. Process-engagement risk
may be an issue when ineffective operational procedures are applied. These risks directly
reduce the productivity of knowledge workers, decrease cost effectiveness, profitability,
service, quality, reputation, brand value, and earnings quality. Intangible risk management