Risk management is the identification, evaluation, and prioritization of risks (defined in ISO

31000 as the effect of uncertainty on objectives) followed by coordinated and economical application
of resources to minimize, monitor, and control the probability or impact of unfortunate events[1] or to
maximize the realization of opportunities.
Risks can come from various sources including uncertainty in financial markets, threats from project
failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities,
credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of
uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be
classified as risks while positive events are classified as opportunities. Several risk
management standards have been developed including the Project Management Institute,
the National Institute of Standards and Technology, actuarial societies, and ISO
standards.[2][3] Methods, definitions and goals vary widely according to whether the risk management
method is in the context of project management, security, engineering, industrial processes, financial
portfolios, actuarial assessments, or public health and safety.
Strategies to manage threats (uncertainties with negative consequences) typically include avoiding
the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat
to another party, and even retaining some or all of the potential or actual consequences of a
particular threat, and the opposites for opportunities (uncertain future states with benefits).
Certain aspects of many of the risk management standards have come under criticism for having no
measurable improvement on risk; whereas the confidence in estimates and decisions seem to
increase.[1] For example, one study found that one in six IT projects were "black swans" with gigantic
overruns (cost overruns averaged 200%, and schedule overruns 70%).[4]

Contents

 1Introduction
o 1.1Method
o 1.2Principles
 2Process
o 2.1Establishing the context
o 2.2Identification
o 2.3Assessment
 3Risk options
o 3.1Potential risk treatments
o 3.2Risk management plan
o 3.3Implementation
o 3.4Review and evaluation of the plan
 4Limitations
 5Areas
o 5.1Enterprise
o 5.2Enterprise Security
o 5.3Medical device
o 5.4Project management
o 5.5Megaprojects (infrastructure)
o 5.6Natural disasters
o 5.7Wilderness
o 5.8Information technology
o 5.9Petroleum and natural gas
 o 5.10Pharmaceutical sector
 6Risk communication
 7See also
 8References
 9External links

Introduction[edit]
A widely used vocabulary for risk management is defined by ISO Guide 73:2009, "Risk
management. Vocabulary."[2]
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss
(or impact) and the greatest probability of occurring are handled first, and risks with lower probability
of occurrence and lower loss are handled in descending order. In practice the process of assessing
overall risk can be difficult, and balancing resources used to mitigate between risks with a high
probability of occurrence but lower loss versus a risk with high loss but lower probability of
occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability of occurring
but is ignored by the organization due to a lack of identification ability. For example, when deficient
knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when
ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective
operational procedures are applied. These risks directly reduce the productivity of knowledge
workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value, and
earnings quality. Intangible risk management allows risk management to create immediate value
from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost.
Resources spent on risk management could have been spent on more profitable activities. Again,
ideal risk management minimizes spending (or manpower or other resources) and also minimizes
the negative effects of risks.
According to the definition to the risk, the risk is the possibility that an event will occur and adversely
affect the achievement of an objective. Therefore, risk itself has the uncertainty. Risk management
such as COSO ERM, can help managers have a good control for their risk. Each company may
have different internal control components, which leads to different outcomes. For example, the
framework for ERM components includes Internal Environment, Objective Setting, Event
Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication,
and Monitoring.

Method[edit]
For the most part, these methods consist of the following elements, performed, more or less, in the
following order.

1. identify the threats

2. assess the vulnerability of critical assets to specific threats
3. determine the risk (i.e. the expected likelihood and consequences of specific types of attacks
on specific assets)
4. identify ways to reduce those risks
5. prioritize risk reduction measures
Principles[edit]
The International Organization for Standardization (ISO) identifies the following principles of risk
management:[5]
Risk management should:

 create value – resources expended to mitigate risk should be less than the consequence of
inaction
 be an integral part of organizational processes
 be part of decision making process
 explicitly address uncertainty and assumptions
 be a systematic and structured process
 be based on the best available information
 be tailorable
 take human factors into account
 be transparent and inclusive
 be dynamic, iterative and responsive to change
 be capable of continual improvement and enhancement
 be continually or periodically re-assessed

Process[edit]
According to the standard ISO 31000 "Risk management – Principles and guidelines on
implementation,"[3] the process of risk management consists of several steps as follows:

Establishing the context[edit]

This involves:
1.
o the social scope of risk management
o the identity and objectives of stakeholders
o the basis upon which risks will be evaluated, constraints.
2. defining a framework for the activity and an agenda for identification
3. developing an analysis of risks involved in the process
4. mitigation or solution of risks using available technological, human and organizational
resources
Identification[edit]
After establishing the context, the next step in the process of managing risk is to identify potential
risks. Risks are about events that, when triggered, cause problems or benefits. Hence, risk
identification can start with the source of our problems and those of our competitors (benefit), or with
the problem consequenses.

 Source analysis[6] – Risk sources may be internal or external to the system that is the target of
risk management (use mitigation instead of management since by its own definition risk deals
with factors of decision-making that cannot be managed).
Examples of risk sources are: stakeholders of a project, employees of a company or the weather
over an airport.

 Problem analysis[citation needed] – Risks are related to identified threats. For example: the threat of
losing money, the threat of abuse of confidential information or the threat of human errors,
 accidents and casualties. The threats may exist with various entities, most important with
shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can
lead to a problem can be investigated. For example: stakeholders withdrawing during a project may
endanger funding of the project; confidential information may be stolen by employees even within a
closed network; lightning striking an aircraft during takeoff may make all people on board immediate
casualties.
The chosen method of identifying risks may depend on culture, industry practice and compliance.
The identification methods are formed by templates or the development of templates for identifying
source, problem or event. Common risk identification methods are:

 Objectives-based risk identification[citation needed] – Organizations and project teams have objectives.
Any event that may endanger achieving an objective partly or completely is identified as risk.
 Scenario-based risk identification – In scenario analysis different scenarios are created. The
scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction
of forces in, for example, a market or battle. Any event that triggers an undesired scenario
alternative is identified as risk – see Futures Studies for methodology used by Futurists.
 Taxonomy-based risk identification – The taxonomy in taxonomy-based risk identification is a
breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a
questionnaire is compiled. The answers to the questions reveal risks.[7]
 Common-risk checking[8] – In several industries, lists with known risks are available. Each risk in
the list can be checked for application to a particular situation.[9]
 Risk charting[10] – This method combines the above approaches by listing resources at risk,
threats to those resources, modifying factors which may increase or decrease the risk and
consequences it is wished to avoid. Creating a matrix under these headings enables a variety of
approaches. One can begin with resources and consider the threats they are exposed to and the
consequences of each. Alternatively one can start with the threats and examine which resources
they would affect, or one can begin with the consequences and determine which combination of
threats and resources would be involved to bring them about.
Assessment[edit]
Main article: Risk assessment
Once risks have been identified, they must then be assessed as to their potential severity of impact
(generally a negative impact, such as damage or loss) and to the probability of occurrence. These
quantities can be either simple to measure, in the case of the value of a lost building, or impossible
to know for sure in the case of an unlikely event, the probability of occurrence of which is unknown.
Therefore, in the assessment process it is critical to make the best educated decisions in order to
properly prioritize the implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take the "turnpike"
example. A highway is widened to allow more traffic. More traffic capacity leads to greater
development in the areas surrounding the improved traffic capacity. Over time, traffic thereby
increases to fill available capacity. Turnpikes thereby need to be expanded in a seemingly endless
cycles. There are many other engineering examples where expanded capacity (to do any function) is
soon filled by increased demand. Since expansion comes at a cost, the resulting growth could
become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical
information is not available on all kinds of past incidents and is particularly scanty in the case of
catastrophic events, simply because of their infrequency. Furthermore, evaluating the severity of the
consequences (impact) is often quite difficult for intangible assets. Asset valuation is another
question that needs to be addressed. Thus, best educated opinions and available statistics are the
primary sources of information. Nevertheless, risk assessment should produce such information for
senior executives of the organization that the primary risks are easy to understand and that the risk
management decisions may be prioritized within overall company goals. Thus, there have been
several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps
the most widely accepted formula for risk quantification is: "Rate (or probability) of occurrence
multiplied by the impact of the event equals risk magnitude."[vague]

Risk options[edit]
Risk mitigation measures are usually formulated according to one or more of the following major risk
options, which are:

1. Design a new business process with adequate built-in risk control and containment
measures from the start.
2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of
business operations and modify mitigation measures.
3. Transfer risks to an external agency (e.g. an insurance company)
4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)
Later research[11] has shown that the financial benefits of risk management are less dependent on
the formula used but are more dependent on the frequency and how risk assessment is performed.
In business it is imperative to be able to present the findings of risk assessments in financial, market,
or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in
financial terms. The Courtney formula was accepted as the official risk analysis method for the US
governmental agencies. The formula proposes calculation of ALE (annualized loss expectancy) and
compares the expected loss value to the security control implementation costs (cost-benefit
analysis).

Potential risk treatments[edit]

Once risks have been identified and assessed, all techniques to manage the risk fall into one or
more of these four major categories:[12]

 Avoidance (eliminate, withdraw from or not become involved)

 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)
Ideal use of these risk control strategies may not be possible. Some of them may involve trade-offs
that are not acceptable to the organization or person making the risk management decisions.
Another source, from the US Department of Defense (see link), Defense Acquisition University, calls
these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is
reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements,
in which Risk Management figures prominently in decision making and planning.
Risk avoidance[edit]
This includes not performing an activity that could carry risk. An example would be not buying
a property or business in order to not take on the legal liability that comes with it. Another would be
not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the
answer to all risks, but avoiding risks also means losing out on the potential gain that accepting
(retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids
the possibility of earning profits. Increasing risk regulation in hospitals has led to avoidance of
treating higher risk conditions, in favor of patients presenting with lower risk.[13]
Risk reduction[edit]
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss
from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by
fire. This method may cause a greater loss by water damage and therefore may not be
suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as
a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance
between negative risk and the benefit of the operation or activity; and between risk reduction and
effort applied. By an offshore drilling contractor effectively applying Health, Safety and
Environment (HSE) management in its organization, it can optimize risk to achieve levels of residual
risk that are tolerable.[14]
Modern software development methodologies reduce risk by developing and delivering software
incrementally. Early methodologies suffered from the fact that they only delivered software in the
final phase of development; any problems encountered in earlier phases meant costly rework and
often jeopardized the whole project. By developing in iterations, software projects can limit effort
wasted to a single iteration.
Outsourcing could be an example of risk sharing strategy if the outsourcer can demonstrate higher
capability at managing or reducing risks.[15] For example, a company may outsource only its software
development, the manufacturing of hard goods, or customer support needs to another company,
while handling the business management itself. This way, the company can concentrate more on
business development without having to worry as much about the manufacturing process, managing
the development team, or finding a physical location for a center.
Risk sharing[edit]
Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk,
and the measures to reduce a risk."
The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can
transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company
or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party.
As such in the terminology of practitioners and scholars alike, the purchase of an insurance contract
is often described as a "transfer of risk." However, technically speaking, the buyer of the contract
generally retains legal responsibility for the losses "transferred", meaning that insurance may be
described more accurately as a post-event compensatory mechanism. For example, a personal
injuries insurance policy does not transfer the risk of a car accident to the insurance company. The
risk still lies with the policy holder namely the person who has been in the accident. The insurance
policy simply provides that if an accident (the event) occurs involving the policy holder then some
compensation may be payable to the policy holder that is commensurate with the suffering/damage.
Some ways of managing risk fall into multiple categories. Risk retention pools are technically
retaining the risk for the group, but spreading it over the whole group involves transfer among
individual members of the group. This is different from traditional insurance, in that no premium is
exchanged between members of the group up front, but instead losses are assessed to all members
of the group.
Risk retention[edit]
Risk retention involves accepting the loss, or benefit of gain, from a risk when the incident occurs.
True self-insurance falls in this category. Risk retention is a viable strategy for small risks where the
cost of insuring against the risk would be greater over time than the total losses sustained. All risks
that are not avoided or transferred are retained by default. This includes risks that are so large or
catastrophic that either they cannot be insured against or the premiums would be infeasible. War is
an example since most property and risks are not insured against war, so the loss attributed to war
is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is
retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to
insure for greater coverage amounts is so great that it would hinder the goals of the organization too
much.

Risk management plan[edit]

Main article: Risk management plan
Select appropriate controls or countermeasures to mitigate each risk. Risk mitigation needs to be
approved by the appropriate level of management. For instance, a risk concerning the image of the
organization should have top management decision behind it whereas IT management would have
the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing
the risks. For example, an observed high risk of computer viruses could be mitigated by acquiring
and implementing antivirus software. A good risk management plan should contain a schedule for
control implementation and responsible persons for those actions.
According to ISO/IEC 27001, the stage immediately after completion of the risk assessment phase
consists of preparing a Risk Treatment Plan, which should document the decisions about how each
of the identified risks should be handled. Mitigation of risks often means selection of security
controls, which should be documented in a Statement of Applicability, which identifies which
particular control objectives and controls from the standard have been selected, and why.

Implementation[edit]
Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase
insurance policies for the risks that it has been decided to transferred to an insurer, avoid all risks
that can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.

Review and evaluation of the plan[edit]

Initial risk management plans will never be perfect. Practice, experience, and actual loss results will
necessitate changes in the plan and contribute information to allow possible different decisions to be
made in dealing with the risks being faced.
Risk analysis results and management plans should be updated periodically. There are two primary
reasons for this:

1. to evaluate whether the previously selected security controls are still applicable and effective
2. to evaluate the possible risk level changes in the business environment. For example,
information risks are a good example of rapidly changing business environment.

Limitations[edit]
Prioritizing the risk management processes too highly could keep an organization from ever
completing a project or even getting started. This is especially true if other work is suspended until
the risk management process is considered complete.
It is also important to keep in mind the distinction between risk and uncertainty. Risk can be
measured by impacts × probability.
If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of losses that
are not likely to occur. Spending too much time assessing and managing unlikely risks can divert
resources that could be used more profitably. Unlikely events do occur but if the risk is unlikely
enough to occur it may be better to simply retain the risk and deal with the result if the loss does in
fact occur. Qualitative risk assessment is subjective and lacks consistency. The primary justification
for a formal risk assessment process is legal and bureaucratic.