risk management [English]
- RT: risk
n. ~ A program and its supporting, integrated activities to identify the likelihood of some event (typically a threat or vulnerability) occurring, assess its impact and priority, and plan a variety of responses.
Risk management aims to prevent loss and capitalize on opportunities to improve the operations of an organization.
- Black's 9th 2009 (†382 s.v. risk management): The procedures or systems used to minimize accidental losses, especially to a business.
- NIST Risk Assessment 2012 (†482 p. B-10): The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time.
- CNSS-4009 (†730 p.62): The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: 1) the conduct of a risk assessment; 2) the implementation of a risk mitigation strategy; 3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and 4) documenting the overall risk management program. (†1747)
- Duranti 2014 (†490 p. 19): Another framework relied upon by the information systems management field, among many other fields, is that of risk management, an area of study that complements that of trust and in a way represents its counterpart in the context of making decisions in an uncertain environment. Several models of trust exist but few have explored the relationship between risk and trust. (†747)
- Gartner IT Glossary (†298 s.v. "vendor risk managemenet (VRM)"): Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. (†712)
- IRM 2002 (†491 p. 2): Risk management is a central part of any organisation’s strategic management. It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. ¶ The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the organisation. It marshals the understanding of the potential upside and downside of all those factors which can affect the organisation. It increases the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organisation’s overall objectives. (†749)
- ISACA Glossary (†743 s.v. risk management): 1. The coordinated activities to direct and control an enterprise with regard to risk. In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002) 2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise’s risk appetite. (COBIT 5 perspective) (†1801)
- ISO 73, 2009 (†456 §2.1): 2.1 risk management ~ Coordinated activities to direct and control an organization with regard to risk (1.1)
2.1.1 risk management framework ~ Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring (22.214.171.124), reviewing and continually improving risk management (2.1) throughout the organization ¶Note 1 to entry: The foundations include the policy, objectives, mandate and commitment to manage risk (1.1). ¶Note 2 to entry: The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities. ¶Note 3 to entry: The risk management framework is embedded within the organization's overall strategic and operational policies and practices.
2.1.2 risk management policy ~ Statement of the overall intentions and direction of an organization related to risk management (2.1)
2.1.3 risk management plan ~ scheme within the risk management framework (2.1.1) specifying the approach, the management components and resources to be applied to the management of risk (1.1) ¶Note 1 to entry: Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities. ¶Note 2 to entry: The risk management plan can be applied to a particular product, process and project, and part or whole of the organization. (†638)
- ISO 73, 2009 (†456 ): [Note: The standard organizes terms under headings for risk management, risk management process, communication and consultation, context, risk assessment, risk identification, risk analysis, risk evaluation, and risk treatment, each with many term defined. For example, the entry for risk analysis includes definitions for likelihood, exposure, consequence, probability, frequency, and vulnerability. (†640)
- Kurian 2013 (†576 s.v. risk management): Understanding and evaluating the risk involved in a business proposition or transaction, so as to prepare for the eventuality of failure or loss and to moderate the effects of such a loss. Common forms of risk management include insurance, derivatives as a hedge against sudden market fluctuations, and higher interest rates to compensate for potential losses. (†1084)
- Law 2011 (†581 s.v. risk management): 1. The variety of activities undertaken by an organization to control and minimize threats to the continuing efficiency, profitability, and success of its operations. The process of risk management includes the identification and analysis of risks to which the organization is exposed, the assessment of potential impacts on the business, and deciding what action can be taken to eliminate or reduce risk and deal with the impact of unpredictable events causing loss or damage. Risk management strategies include taking out insurance against financial loss or legal liability and introducing safety or security measures. 2. The process of understanding and managing the risks that an organization is inevitably subject to in attempting to achieve its corporate objectives. For management purposes, risks are usually divided into categories such as operational, financial, legal compliance, information, and personnel. (†1119)
- NIST 2013 (†734 p. B-19): The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time. [CNSSI 4009, adapted] (†1816)
- NIST Framework 2014 (†413 p. 5): Risk management is the ongoing process of identifying, assessing, and responding to risk. To manage risk, organizations should understand the likelihood that an event will occur and the resulting impact. With this information, organizations can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance. (†507)
- NIST Managing Information Security Risk 2011 (†484 p. 9): To integrate the risk management process throughout the organization, a three-tiered approach is employed that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter- tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization.
- NIST Risk Management Framework 2010 (†483 p. iii): The six-step [Risk Management Framework] Includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. The RMF promotes the concept of near real- time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle. Applying the RMF within enterprises links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function) and establishes lines of responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls). (†728)
- Structured Approach 2010 (†492 p. 6): The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. The objective is to achieve maximum sustainable value from all the activities of the organisation. Risk management enhances the understanding of the potential upside and downside of the factors that can affect an organisation. It increases the probability of success and reduces both the probability of failure and the level of uncertainty associated with achieving the objectives of the organisation. (†752)
- Structured Approach 2010 (†492 p. 9): Risk management process (based on ISO 31000)