Risk Management Process

Risk management is an integral part of an organization's governance structure.

The figure below illustrates a generic risk management process that can be used to manage risk at the organization level. This process is described in general terms in ISO Standard 31000 and is used in the National Institute of Standards and Technology’s (NIST) Special Publication 800-39 to describe the process of managing security risks associated with information and information systems (NIST, 2011). This risk management process is focused upon identifying and managing risks to the organization as a whole. The four elements of this risk management process (frame, assess, respond, monitor) are discussed in the sections that follow.

The image shows the four elements of the risk management process: frame, assess, repond, and monitor.
Organizational-Level Risk Management Process


Risk framing is a business process that uses organizational context (problem frame) to guide the identification and categorization of risks to assets. Risk framing categorizes risks according to the type of asset, source of the risk to that asset (threat), and the vulnerability of the asset to the threat. It is usually the first step in the risk management process.

Risk sources are divided into two categories: opportunities and threats. The opportunity category is primarily used to frame risks in project management risk analyses and financial analyses (investment planning). Security risks are usually expressed in terms of threats to assets and further categorized by the type of threat.

Risks may also be identified using information from published lists and databases of known threats and vulnerabilities for specific products (hardware and software). Authoritative vulnerability identification and description information can be obtained from NIST, the Department of Defense (Defense Information Systems Agency), the Department of Homeland Security (US-CERT), and the Mitre Corporation (a government contractor).


Risk assessment is a business process used to evaluate and rank the risks identified in the framing process. The output of the risk assessment process is a risk register containing entries for individual risks and their associated risk impact metrics. Risk assessment may be quantitative or qualitative. Quantitative risk assessments use statistical techniques to analyze data from simulations, experiments, and threat models. Qualitative risk assessments use expert opinion and judgment. Both types of assessment may use historical information obtained from documents and reports.


Organizations use four types of risk response strategies:

  • acceptance
  • avoidance
  • transfer
  • mitigation

When a strategy is applied to a specific risk, it is referred to as a risk treatment.

We will discuss each of the four types of risk response strategies below.

Acceptance has two forms. For opportunity-based risks, an organization accepts the risk in the expectation of a beneficial or profitable outcome. This form of acceptance usually involves a deliberate action (e.g., signature on a memorandum) that authorizes the acceptance of the risk. For threat-based risks, an organization accepts a risk when the costs of taking action to prevent harm exceed the expected costs of doing nothing. This form of acceptance may be either de facto (through no action) or de jure (formally approved or agreed to by an oversight group).

Avoidance occurs when an organization makes a deliberate decision to avoid the circumstances or situations in which a risk could arise. For example, after reviewing an opportunity to invest in a new security technology, a venture capitalist could determine that the potential payoff is too low when compared to other uses of the money and so decides to not invest in the security technology. Not making the investment is an avoidance strategy.

Transfer is accomplished by transferring responsibility for the outcome of the risk to another organization. Two common types of transfer strategies are insurance and outsourcing. Cyber insurance is purchased to protect an organization from financial losses resulting from cyber attacks. Outsourcing transfers financial responsibility for specific risks as part of a service-level agreement or other form of contract-for-services. Under US law, ultimate responsibility for harm or loss to information and information systems remains with the owners of those assets and cannot be transferred to an outside organization.

Mitigation is the most complex of the four risk management strategies. This strategy requires that organizations identify specific actions, processes, and technologies that can be used to lessen the impact of a risk. Some mitigation measures focus upon reducing vulnerabilities in assets (e.g., patching software) while others are used to lower the probability of occurrence (e.g., deploying antivirus software to detect and block malware before an infection occurs). Most security controls are intended as risk mitigation measures.


National Institute of Standards and Technology (NIST). (2011, March). Special publication 800-39. Managing information security risk: Organization, mission, and information system view. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf