Risk Management
What is Risk Management?
Risk ManagementThe coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
Risk management is the discipline by which an organization systematically deals with uncertainty that could affect its objectives, assets, or stakeholders. It usually follows a cycle: establish context, identify risks, analyze likelihood and impact, evaluate against criteria, decide on treatment (accept, mitigate, transfer, avoid), and monitor the residual exposure over time. Mature programs are aligned with frameworks such as ISO 31000, NIST RMF, or COSO ERM and feed into compliance obligations, internal audit, and board reporting. Effective risk management balances control cost against potential loss and integrates with project, vendor, and operational decision-making rather than living in a separate silo.
● Examples
- 01
Annual review of the corporate risk register with executive owners.
- 02
Integrating cyber risk scenarios into capital planning and insurance renewals.
● Frequently asked questions
What is Risk Management?
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Management mean?
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
How does Risk Management work?
Risk management is the discipline by which an organization systematically deals with uncertainty that could affect its objectives, assets, or stakeholders. It usually follows a cycle: establish context, identify risks, analyze likelihood and impact, evaluate against criteria, decide on treatment (accept, mitigate, transfer, avoid), and monitor the residual exposure over time. Mature programs are aligned with frameworks such as ISO 31000, NIST RMF, or COSO ERM and feed into compliance obligations, internal audit, and board reporting. Effective risk management balances control cost against potential loss and integrates with project, vendor, and operational decision-making rather than living in a separate silo.
How do you defend against Risk Management?
Defences for Risk Management typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Management?
Common alternative names include: Risk management process, RM.
● Related terms
- compliance№ 935
Risk Assessment
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 939
Risk Treatment
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- compliance№ 383
Enterprise Risk Management (ERM)
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- compliance№ 733
NIST Risk Management Framework
A seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.