Risk management is a formal process that reduces the impact of threats and vulnerabilities. The process involves four general steps:

1) Frame the risk – Identify the threats throughout the organization that increase risk.

2) Assess the risk – Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses.

3) Respond to the risk – Develop an action plan to reduce overall organization risk exposure. Management should rank and prioritize threats and a team determines how to respond to each threat.

4) Monitor the risk – Continuously review risk reductions due to elimination, mitigation and transfer actions.

Risk management is the identification, evaluation, and prioritization of risks. Organizations manage risk in one of four ways:

1) Avoidance (Elimination) – Risk avoidance is the complete removal or elimination of risk from a specific threat.

2) Mitigation (Reduction) – Risk mitigation involves implementing controls that allow the organization to continue to perform an activity while using mechanisms to reduce the risk from a particular threat.

3) Transfer – Organizations can transfer risk from specific threats to a third party person or another organization.

4) Accept – Accepting risk involves the identification of the threats but not implementing mitigation processes based on a conscious decision.

Risk is the probability of loss due to a threat that damages information systems or organizational assets.

Vulnerability is a weakness in information systems.