Skip to content

Latest commit

 

History

History
15 lines (8 loc) · 1.25 KB

03-Risk management.md

File metadata and controls

15 lines (8 loc) · 1.25 KB

Risk Management

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.

Or in other words, risk management can be split in two parts. First, determining which risks exists and then handling those risks in a way that is best for the business. This last bit is very important, risk management is always business driven. There are four common ways to handling risk. These are:

  1. Acceptance; this is where the business is aware of the risk, but has decided that no action will be taken against the risk.

  2. Mitigation; this is when security controls are implemented to remove the risk.

  3. Transferring; another word for this is insurance.

  4. Elimination; this is, for example, when the system that is at risk is removed completely. The object with which the risk is associated is removed.