Risk Management: the act, manner, or practice of supervising or controlling risks, including avoidance, acceptance, mitigation, or transfer of risks. The objective of risk management is not to eliminate all risk, but rather to keep risk at a level where protection failures are within anticipated and acceptable ranges.
Components of Risk Management
- Risk Assessment: Risks are analyzed and likelihood and impact are considered as a basis for determining how they should be controlled and managed. Risks are assessed on an inherent and a residual basis.
- Risk Response: Dependant upon data and resource classification – avoiding, accepting, reducing, or sharing risk – developing a set of actions and controls to align risks with the entity’s risk tolerances and risk appetite.
- Control Activities: Policies and procedures are established, implemented, and enforced to help ensure the risk responses are effectively carried out.
- Information and Communication: Relevant information is identified, captured, and communicated to enable people to carry out their roles and responsibilities as effectively as possible. Communication occurs in a broad sense, flowing down, across, and up the entity.
- Monitoring: The entirety of risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing risk management activities, separate evaluations, or both.