Risk management

[2] Risks can come from various sources (i.e, threats) including uncertainty in international markets, political instability, dangers of project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.

[19] Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable.

Therefore, in the assessment process it is critical to make the best educated decisions in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents and is particularly scanty in the case of catastrophic events, simply because of their infrequency.

Under the acceptance technique, the business intentionally assumes risks without financial protections in the hopes that possible gains will exceed prospective losses.

The transfer approach shields the business from losses by shifting risks to a third party, frequently in exchange for a fee, while the third-party benefits from the project.

Last but not least, the reduction approach lowers risks by implementing strategies like insurance, which provides protection for a variety of asset classes and guarantees reimbursement in the event of losses.

By effectively applying Health, Safety and Environment (HSE) management standards, organizations can achieve tolerable levels of residual risk.

In practice, if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party.

However, technically speaking, the buyer of the contract generally retains legal responsibility for the losses "transferred", meaning that insurance may be described more accurately as a post-event compensatory mechanism.

This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great that it would hinder the goals of the organization too much.

For example, an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software.

A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.

Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

[34] ERM systems usually focus on safeguarding reputation, acknowledging its significant role in comprehensive risk management strategies.

[36] In an article by Samuel Greengard published in 2010, two US legal cases are mentioned which emphasise the importance of having a strategy for dealing with risk:[37] Greengard recommends using industry-standard contract language as much as possible to reduce risk as much as possible and rely on clauses which have been in use and subject to established court interpretation over a number of years.

[41] Two events which prompted the European Commission to review customs risk management policy in 2012-13 were the September 11 attacks of 2001 and the 2010 transatlantic aircraft bomb plot involving packages being sent from Yemen to the United States, referred to by the Commission as "the October 2010 (Yemen) incident".

In 2013, the FDA introduced another draft guidance expecting medical device manufacturers to submit cybersecurity risk analysis information.

This modeling requires an understanding of geographic distributions of people as well as an ability to calculate the likelihood of a natural disaster occurring.

The management of risks to persons and property in wilderness and remote natural areas has developed with increases in outdoor recreation participation and decreased social tolerance for loss.

This is a relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it supports.

[60] The Verizon Data Breach Investigations Report (DBIR) features how organizations can leverage the Veris Community Database (VCDB) to estimate risk.

Using HALOCK methodology within CIS RAM and data from VCDB, professionals can determine threat likelihood for their industries.

IT risk management includes "incident handling", an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events.

According to the SANS Institute, it is a six step process: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

For the offshore oil and gas industry, operational risk management is regulated by the safety case regime in many countries.

Hazard identification and risk assessment tools and techniques are described in the international standard ISO 17776:2000, and organisations such as the IADC (International Association of Drilling Contractors) publish guidelines for Health, Safety and Environment (HSE) Case development which are based on the ISO standard.

Risk management is also applied to the assessment of microbiological contamination in relation to pharmaceutical products and cleanroom manufacturing environments.

Mitigation of these risks can involve various elements of the business including logistics and cybersecurity, as well as the areas of finance and operations.

[70] Similarly, in pandemic prevention, understanding of risk helps communities stop the spread of disease and improve responses.

Example of risk assessment: A NASA model showing areas at high risk from impact for the International Space Station
Risk in Banking