Risk management is the identification, analysis, assessment, and controlling risks. Because all aspects of business can have some level of risk, risk management can apply to everything from financial risks to compliance risks. Similarly, though risks can result from one-off disaster situations (which is particularly applicable when discussing business continuity or disaster recovery), risks can also be ingrained in daily business processes. For instance, banks that finance vehicles face a risk with every transaction that they make. There is always the chance that the person the bank finances a new vehicle will not follow through with their commitment to pay their vehicle loan. The bank attempts to mitigate that risk by running preemptive credit checks and, sometimes, requiring a down payment. However, though these steps may lower the risks, they do not prevent them. For this reason, the bank must have a plan for how to recover the vehicle or otherwise resolve the loss before such a risk were to become a reality. Though they may not be the same risks as a bank would have, all businesses have some form of risks that must be evaluated and planned for.
A risk is defined as a situation with the probability of an unfavorable outcome. In terms of information technology, risks are determined by the following equation:
Risk = (threat x vulnerability (exploit likelihood x exploit impact) x asset value) – security controls
By this equation, the only way to truly understand risk is to know the threat, the vulnerability of the business, the likelihood of the exploit, the potential impact of the exploit, the asset value, and the security controls. By understanding all of these individual aspects of a risk, it can be properly analyzed and planned for.
Over the years, risk management has expanded into a range of different processes and programs, some of which are monitored by government agencies, third parties, or internal boards. Internal audits and risk assessments have become popular and essential checks and balances for evaluating and mitigating business risk levels.
Although there are multiple risk management frameworks, (for example, the enterprise risk management framework), each framework works under a general set of processes that include five key categories:
- Risk identification: The business identifies potential risks that could negatively impact the company.
- Risk analysis: After the risk is identified, the company then determines the odds occurrence and the consequences if it were to occur.
- Risk assessment and evaluation. The risk is then further evaluated after determining the risk’s overall likelihood of occurrence combined with its overall consequence. The company can then make decisions on whether the risk is acceptable and whether the company is willing to take it on based on its risk appetite.
- Risk mitigation. During this step, companies assess their highest-ranked risks and develop a plan to alleviate them using specific risk controls. These plans include risk mitigation processes, risk prevention tactics and contingency plans in the event the risk comes to fruition.
- Risk monitoring. Part of the mitigation plan includes following up on both the risks and the overall plan to continuously monitor and track new and existing risks. The overall risk management process should also be reviewed and updated accordingly.
Once the company has identified specific risks and the risk management process has been implemented, the business can decide between multiple routes courses of action based on whether or not they are willing to accept the risk.
- Risk avoidance is chosen if the business desires to avoid as much risk as possible.
- Risk reduction. Companies are sometimes able to reduce the amount of effect certain risks can have on company processes. This is achieved by adjusting certain aspects of an overall project plan or company process, or by reducing its scope.
- Risk sharing. In some cases, the risk may be shared among others including other departments or even other businesses.
- Risk retaining. In situations where a company decides that a risk is worth taking, they may decide to retain the risk. Often times, a risk with an estimated high return may be considered worth the risk.
Businesses and risk managers should not seek to avoid all risks, but rather to select risks that are a reasonable level for them. The risk management process is forever ongoing, as risks regularly change and grow as well.