The IT Law Wiki



Risk management (RM) is

[a] process for anticipating problems and taking appropriate steps to mitigate risks and minimize their impact on program commitments. It involves identifying and documenting risks, categorizing them based on their estimated impact, prioritizing them, developing risk mitigation strategies, and tracking progress in executing the strategies.[1]
a management approach designed to reduce the risks inherent in a given project. It encompasses the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, cost benefit analysis, selection, implementation and testing, security evaluation of safeguards, and overall security review.

It also allows system owners to balance the operational and economic costs of protective measures to achieve gains in mission capability by protecting the IT systems and data that support their organization's missions.

Computer security[]

Risk management is

[t]he process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.[2]
[t]he process of conducting a risk assessment, implementing a risk mitigation strategy, and employing of techniques and procedures for the continuous monitoring of the security state of the information system. Risk management incorporates threat an and vulnerability analyses, and considers mitigations provided by security controls planned or in place — synonymous with risk analysis.[3]
[t]he identification, assessment, and mitigation of probabilistic security events (risks) in information systems to a level commensurate with the value of the assets protected.[4]


Risk management is

[t]he comparison and analysis of the relative threat (intent and capability to collect the information); the vulnerability of the asset; the cost and administrative burden of possible countermeasures; and the value of the asset used to determine the appropriate level of protection to control and reduce the risk of compromise or disclosure to acceptable levels. Risk management allows the acceptance of risk in the security process based upon a cost-benefit analysis.[5]


An organization's risk management process is designed to protect the organization and its ability to perform its mission, not just its IT assets.

Effective risk management enables an organization to accomplish its mission(s) by


See also[]