Risk management is a process to identify, assess and mitigate or accept risks, such as the risk of employees clicking on phishing emails, IT failures or hacking attacks.
The following components are to be considered within the framework of risk management:
-
The asset repository serves as the base for risk management.
-
Risk identification & analysis: The respective asset owner carries out an analysis for his or her asset to determine which threats and vulnerabilities exist, i.e., whether a risk exists. If risks exist for an asset, the severity and probability of each risk must be assessed by the defined risk owner. (The risk owner does not have to be the asset owner. Especially regarding technical risks, it may be feasible for the risk owner to be a different person than the asset owner, if the asset owner lacks the necessary technical know-how.)
-
Risk assessment: Based on the severity and probability of each risk a risk score should be calculated.
-
Risk handling & risk acceptance: Depending on the risk score, it must be assessed whether the identified risks are below or above the defined risk acceptance level. If the risk is within the risk acceptance level, no measures must be implemented. If the risk is above the risk acceptance level, a decision must be made on whether to:
-
mitigate the risk (e.g., implement technical and organizational measures)
-
transfer the risk (e.g., through an insurance),
-
avoid the risk (e.g., stop or adapt existing processes), or
-
if, for example, a measure to reduce a risk would be more costly than if a risk materializes there is also the option to accept the risk despite it being above the risk acceptance level.
-