<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Risk_Management</id>
	<title>Risk Management - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Risk_Management"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Risk_Management&amp;action=history"/>
	<updated>2026-07-11T14:06:47Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Risk_Management&amp;diff=428&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;&#039;&#039;&#039;Summary:&#039;&#039;&#039; Risk Management is the structured process of identifying, assessing, treating, monitoring, and reviewing uncertainty that could affect the achievement of objectives. Effective risk management improves decision-making, protects assets, supports business continuity, and enables organisations to pursue opportunities with greater confidence.  Risk exists in every activity, whether managing infrastructure, delivering projects, operating services, deploying soft...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Risk_Management&amp;diff=428&amp;oldid=prev"/>
		<updated>2026-07-06T06:53:11Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039; Risk Management is the structured process of identifying, assessing, treating, monitoring, and reviewing uncertainty that could affect the achievement of objectives. Effective risk management improves decision-making, protects assets, supports business continuity, and enables organisations to pursue opportunities with greater confidence.  Risk exists in every activity, whether managing infrastructure, delivering projects, operating services, deploying soft...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Summary:&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
Risk Management is the structured process of identifying, assessing, treating, monitoring, and reviewing uncertainty that could affect the achievement of objectives. Effective risk management improves decision-making, protects assets, supports business continuity, and enables organisations to pursue opportunities with greater confidence.&lt;br /&gt;
&lt;br /&gt;
Risk exists in every activity, whether managing infrastructure, delivering projects, operating services, deploying software, or making strategic business decisions. The goal is not to eliminate risk entirely, but to understand it well enough to make informed choices.&lt;br /&gt;
&lt;br /&gt;
== Context ==&lt;br /&gt;
&lt;br /&gt;
=== Why Risk Management Matters ===&lt;br /&gt;
&lt;br /&gt;
Every organisation operates in an environment filled with uncertainty. Systems fail, suppliers become unavailable, projects encounter delays, security threats emerge, and business priorities change.&lt;br /&gt;
&lt;br /&gt;
Without a structured approach to risk management, organisations often react to problems only after they occur. This reactive approach can lead to increased costs, service disruption, damaged reputation, regulatory issues, and missed opportunities.&lt;br /&gt;
&lt;br /&gt;
Risk management provides a framework for anticipating potential problems before they become incidents.&lt;br /&gt;
&lt;br /&gt;
=== Risk Is Not Always Negative ===&lt;br /&gt;
&lt;br /&gt;
A common misconception is that risk only refers to threats and undesirable outcomes.&lt;br /&gt;
&lt;br /&gt;
In practice, risk is uncertainty that may have either a positive or negative effect on objectives.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* A new technology may introduce implementation risks.&lt;br /&gt;
* The same technology may also create opportunities for increased efficiency.&lt;br /&gt;
* Entering a new market may expose a business to financial uncertainty.&lt;br /&gt;
* The same decision may create significant growth opportunities.&lt;br /&gt;
&lt;br /&gt;
Good risk management considers both threats and opportunities.&lt;br /&gt;
&lt;br /&gt;
=== Common Misconceptions ===&lt;br /&gt;
&lt;br /&gt;
Some organisations view risk management as a compliance exercise performed solely to satisfy auditors.&lt;br /&gt;
&lt;br /&gt;
Others believe that maintaining a risk register is sufficient.&lt;br /&gt;
&lt;br /&gt;
In reality, risk management is most valuable when it influences day-to-day decision-making and becomes part of organisational culture.&lt;br /&gt;
&lt;br /&gt;
== Core Concepts ==&lt;br /&gt;
&lt;br /&gt;
=== Risk ===&lt;br /&gt;
&lt;br /&gt;
A risk is a potential event or condition that may impact one or more objectives.&lt;br /&gt;
&lt;br /&gt;
A useful format for documenting risks is:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
If [event occurs],&lt;br /&gt;
Then [impact may result],&lt;br /&gt;
Affecting [objective].&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
If the primary internet connection fails,&lt;br /&gt;
Then remote access services may become unavailable,&lt;br /&gt;
Affecting business operations.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Threat ===&lt;br /&gt;
&lt;br /&gt;
A threat is something capable of causing harm.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Cyber attacks&lt;br /&gt;
* Hardware failure&lt;br /&gt;
* Human error&lt;br /&gt;
* Extreme weather&lt;br /&gt;
* Supply chain disruption&lt;br /&gt;
&lt;br /&gt;
=== Vulnerability ===&lt;br /&gt;
&lt;br /&gt;
A vulnerability is a weakness that could be exploited by a threat.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Unsupported software&lt;br /&gt;
* Single points of failure&lt;br /&gt;
* Weak authentication controls&lt;br /&gt;
* Insufficient backups&lt;br /&gt;
&lt;br /&gt;
=== Impact ===&lt;br /&gt;
&lt;br /&gt;
Impact measures the consequences should a risk occur.&lt;br /&gt;
&lt;br /&gt;
Impact may be measured in:&lt;br /&gt;
&lt;br /&gt;
* Financial loss&lt;br /&gt;
* Service outage duration&lt;br /&gt;
* Regulatory penalties&lt;br /&gt;
* Reputational damage&lt;br /&gt;
* Health and safety effects&lt;br /&gt;
&lt;br /&gt;
=== Likelihood ===&lt;br /&gt;
&lt;br /&gt;
Likelihood estimates the probability of a risk occurring within a defined period.&lt;br /&gt;
&lt;br /&gt;
Likelihood should be based on evidence wherever possible rather than guesswork.&lt;br /&gt;
&lt;br /&gt;
=== Risk Appetite ===&lt;br /&gt;
&lt;br /&gt;
Risk appetite defines the level of risk an organisation is willing to accept in pursuit of its objectives.&lt;br /&gt;
&lt;br /&gt;
Different organisations have different appetites for risk.&lt;br /&gt;
&lt;br /&gt;
A financial institution may have a very low tolerance for security risks, while a technology startup may willingly accept greater operational risks in exchange for faster innovation.&lt;br /&gt;
&lt;br /&gt;
== The Risk Management Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== Risk Identification ===&lt;br /&gt;
&lt;br /&gt;
The first step is discovering potential risks.&lt;br /&gt;
&lt;br /&gt;
Common techniques include:&lt;br /&gt;
&lt;br /&gt;
* Workshops&lt;br /&gt;
* Interviews&lt;br /&gt;
* Brainstorming sessions&lt;br /&gt;
* Lessons learned reviews&lt;br /&gt;
* Security assessments&lt;br /&gt;
* Architecture reviews&lt;br /&gt;
* Audit findings&lt;br /&gt;
&lt;br /&gt;
The objective is to identify risks before they manifest as issues.&lt;br /&gt;
&lt;br /&gt;
=== Risk Assessment ===&lt;br /&gt;
&lt;br /&gt;
Each identified risk is evaluated based on:&lt;br /&gt;
&lt;br /&gt;
* Likelihood&lt;br /&gt;
* Impact&lt;br /&gt;
* Existing controls&lt;br /&gt;
&lt;br /&gt;
This assessment determines the overall level of risk and helps prioritise mitigation efforts.&lt;br /&gt;
&lt;br /&gt;
=== Risk Treatment ===&lt;br /&gt;
&lt;br /&gt;
Treatment involves selecting an appropriate response.&lt;br /&gt;
&lt;br /&gt;
Common responses include:&lt;br /&gt;
&lt;br /&gt;
* Accept&lt;br /&gt;
* Avoid&lt;br /&gt;
* Mitigate&lt;br /&gt;
* Transfer&lt;br /&gt;
&lt;br /&gt;
These are explored later in this article.&lt;br /&gt;
&lt;br /&gt;
=== Risk Monitoring ===&lt;br /&gt;
&lt;br /&gt;
Risk environments change continuously.&lt;br /&gt;
&lt;br /&gt;
A risk that was acceptable six months ago may become critical due to changing business requirements, emerging threats, or environmental changes.&lt;br /&gt;
&lt;br /&gt;
Monitoring ensures records remain accurate and relevant.&lt;br /&gt;
&lt;br /&gt;
=== Risk Review ===&lt;br /&gt;
&lt;br /&gt;
Periodic reviews validate assumptions and determine whether controls remain effective.&lt;br /&gt;
&lt;br /&gt;
Reviews should occur:&lt;br /&gt;
&lt;br /&gt;
* At defined intervals&lt;br /&gt;
* After significant incidents&lt;br /&gt;
* Following major changes&lt;br /&gt;
* At project milestones&lt;br /&gt;
&lt;br /&gt;
== Risk Assessment Methods ==&lt;br /&gt;
&lt;br /&gt;
=== Qualitative Assessment ===&lt;br /&gt;
&lt;br /&gt;
Qualitative approaches use subjective ratings such as:&lt;br /&gt;
&lt;br /&gt;
* Low&lt;br /&gt;
* Medium&lt;br /&gt;
* High&lt;br /&gt;
&lt;br /&gt;
or&lt;br /&gt;
&lt;br /&gt;
* Very Low&lt;br /&gt;
* Low&lt;br /&gt;
* Moderate&lt;br /&gt;
* High&lt;br /&gt;
* Critical&lt;br /&gt;
&lt;br /&gt;
These methods are simple and suitable for many operational environments.&lt;br /&gt;
&lt;br /&gt;
=== Quantitative Assessment ===&lt;br /&gt;
&lt;br /&gt;
Quantitative approaches assign numerical values to likelihood and impact.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Financial exposure&lt;br /&gt;
* Expected annual loss&lt;br /&gt;
* Statistical probability models&lt;br /&gt;
&lt;br /&gt;
These approaches support more detailed decision-making but require reliable data.&lt;br /&gt;
&lt;br /&gt;
=== Risk Matrix Models ===&lt;br /&gt;
&lt;br /&gt;
Many organisations use a risk matrix.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Impact&lt;br /&gt;
          Low  Med  High&lt;br /&gt;
Low       Low  Low  Med&lt;br /&gt;
Medium    Low  Med  High&lt;br /&gt;
High      Med  High Critical&lt;br /&gt;
          Likelihood&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Risk matrices help stakeholders quickly visualise priorities.&lt;br /&gt;
&lt;br /&gt;
== Practical Application ==&lt;br /&gt;
&lt;br /&gt;
=== Project Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Projects introduce uncertainty through:&lt;br /&gt;
&lt;br /&gt;
* Budget constraints&lt;br /&gt;
* Resource limitations&lt;br /&gt;
* Technical complexity&lt;br /&gt;
* External dependencies&lt;br /&gt;
&lt;br /&gt;
Project risks should be reviewed regularly throughout the project lifecycle rather than only during initiation.&lt;br /&gt;
&lt;br /&gt;
=== Operational Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Operational risks affect day-to-day business functions.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Infrastructure failure&lt;br /&gt;
* Staffing shortages&lt;br /&gt;
* Supplier issues&lt;br /&gt;
* Process failures&lt;br /&gt;
&lt;br /&gt;
These risks are often ongoing and require continuous monitoring.&lt;br /&gt;
&lt;br /&gt;
=== Information Security Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Information security is fundamentally a risk management discipline.&lt;br /&gt;
&lt;br /&gt;
Controls such as:&lt;br /&gt;
&lt;br /&gt;
* Multi-factor authentication&lt;br /&gt;
* Encryption&lt;br /&gt;
* Network segmentation&lt;br /&gt;
* Monitoring and alerting&lt;br /&gt;
&lt;br /&gt;
exist to reduce risk to acceptable levels.&lt;br /&gt;
&lt;br /&gt;
Absolute security is rarely achievable; the objective is managed risk.&lt;br /&gt;
&lt;br /&gt;
=== Business Continuity Considerations ===&lt;br /&gt;
&lt;br /&gt;
Business continuity planning focuses on maintaining essential services when risks materialise.&lt;br /&gt;
&lt;br /&gt;
Questions often include:&lt;br /&gt;
&lt;br /&gt;
* What happens if this system fails?&lt;br /&gt;
* How long can the business function without it?&lt;br /&gt;
* What alternatives exist?&lt;br /&gt;
* How quickly must recovery occur?&lt;br /&gt;
&lt;br /&gt;
Risk management provides the information required to answer these questions.&lt;br /&gt;
&lt;br /&gt;
== Common Risk Treatment Strategies ==&lt;br /&gt;
&lt;br /&gt;
=== Accept ===&lt;br /&gt;
&lt;br /&gt;
A risk may be accepted when:&lt;br /&gt;
&lt;br /&gt;
* Impact is minimal&lt;br /&gt;
* Likelihood is low&lt;br /&gt;
* Mitigation costs exceed potential losses&lt;br /&gt;
&lt;br /&gt;
Acceptance should always be a conscious decision.&lt;br /&gt;
&lt;br /&gt;
=== Avoid ===&lt;br /&gt;
&lt;br /&gt;
Avoidance removes the activity that creates the risk.&lt;br /&gt;
&lt;br /&gt;
Example:&lt;br /&gt;
&lt;br /&gt;
A business may choose not to deploy an unsupported application rather than assume the associated security risk.&lt;br /&gt;
&lt;br /&gt;
=== Mitigate ===&lt;br /&gt;
&lt;br /&gt;
Mitigation reduces either likelihood or impact.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Redundant systems&lt;br /&gt;
* Automated backups&lt;br /&gt;
* Security controls&lt;br /&gt;
* Additional testing&lt;br /&gt;
&lt;br /&gt;
Most organisational risk management activity falls into this category.&lt;br /&gt;
&lt;br /&gt;
=== Transfer ===&lt;br /&gt;
&lt;br /&gt;
Transfer shifts some responsibility to another party.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Insurance&lt;br /&gt;
* Outsourced services&lt;br /&gt;
* Contractual agreements&lt;br /&gt;
&lt;br /&gt;
Responsibility may be transferred, but accountability often remains.&lt;br /&gt;
&lt;br /&gt;
== Common Pitfalls ==&lt;br /&gt;
&lt;br /&gt;
=== Treating Risk Registers as a Tick-Box Exercise ===&lt;br /&gt;
&lt;br /&gt;
A risk register that is never reviewed provides little value.&lt;br /&gt;
&lt;br /&gt;
Risk information must inform decision-making.&lt;br /&gt;
&lt;br /&gt;
=== Ignoring Low Probability, High Impact Events ===&lt;br /&gt;
&lt;br /&gt;
Rare events may still be catastrophic.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Major cyber incidents&lt;br /&gt;
* Datacentre destruction&lt;br /&gt;
* Long-term supplier failure&lt;br /&gt;
&lt;br /&gt;
These events often justify contingency planning despite their low probability.&lt;br /&gt;
&lt;br /&gt;
=== Failure to Review Risks Regularly ===&lt;br /&gt;
&lt;br /&gt;
Environments change.&lt;br /&gt;
&lt;br /&gt;
Technology changes.&lt;br /&gt;
&lt;br /&gt;
Threat actors change.&lt;br /&gt;
&lt;br /&gt;
Businesses change.&lt;br /&gt;
&lt;br /&gt;
Risk records must evolve accordingly.&lt;br /&gt;
&lt;br /&gt;
=== Confusing Issues with Risks ===&lt;br /&gt;
&lt;br /&gt;
A risk is a potential future event.&lt;br /&gt;
&lt;br /&gt;
An issue is something that has already occurred.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Risk:&lt;br /&gt;
The storage platform may exceed capacity.&lt;br /&gt;
&lt;br /&gt;
Issue:&lt;br /&gt;
The storage platform has exceeded capacity.&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This distinction is important for effective governance.&lt;br /&gt;
&lt;br /&gt;
== Design &amp;amp; Architecture Considerations ==&lt;br /&gt;
&lt;br /&gt;
=== Risk Ownership ===&lt;br /&gt;
&lt;br /&gt;
Every significant risk should have a clearly identified owner.&lt;br /&gt;
&lt;br /&gt;
Risk owners are responsible for:&lt;br /&gt;
&lt;br /&gt;
* Monitoring&lt;br /&gt;
* Reporting&lt;br /&gt;
* Reviewing&lt;br /&gt;
* Escalating when required&lt;br /&gt;
&lt;br /&gt;
=== Escalation Paths ===&lt;br /&gt;
&lt;br /&gt;
High-priority risks require clear escalation procedures.&lt;br /&gt;
&lt;br /&gt;
Decision-makers should understand:&lt;br /&gt;
&lt;br /&gt;
* Severity&lt;br /&gt;
* Potential consequences&lt;br /&gt;
* Required actions&lt;br /&gt;
* Time sensitivity&lt;br /&gt;
&lt;br /&gt;
=== Reporting and Communication ===&lt;br /&gt;
&lt;br /&gt;
Risk information should be understandable by both technical and non-technical audiences.&lt;br /&gt;
&lt;br /&gt;
Effective reporting focuses on:&lt;br /&gt;
&lt;br /&gt;
* Business impact&lt;br /&gt;
* Trends&lt;br /&gt;
* Control effectiveness&lt;br /&gt;
* Required decisions&lt;br /&gt;
&lt;br /&gt;
=== Culture and Accountability ===&lt;br /&gt;
&lt;br /&gt;
Strong risk cultures encourage individuals to report concerns early.&lt;br /&gt;
&lt;br /&gt;
The objective is not assigning blame.&lt;br /&gt;
&lt;br /&gt;
The objective is identifying and managing uncertainty before it causes harm.&lt;br /&gt;
&lt;br /&gt;
== Troubleshooting &amp;amp; Diagnostics ==&lt;br /&gt;
&lt;br /&gt;
=== Indicators of Poor Risk Management ===&lt;br /&gt;
&lt;br /&gt;
Warning signs may include:&lt;br /&gt;
&lt;br /&gt;
* Repeated incidents&lt;br /&gt;
* Surprise failures&lt;br /&gt;
* Unmaintained risk registers&lt;br /&gt;
* Lack of ownership&lt;br /&gt;
* Poor disaster recovery preparedness&lt;br /&gt;
&lt;br /&gt;
=== Reviewing Failed Controls ===&lt;br /&gt;
&lt;br /&gt;
When an incident occurs, organisations should examine:&lt;br /&gt;
&lt;br /&gt;
* Which controls failed?&lt;br /&gt;
* Why did they fail?&lt;br /&gt;
* Were assumptions accurate?&lt;br /&gt;
* Were warnings missed?&lt;br /&gt;
&lt;br /&gt;
This process improves future decision-making.&lt;br /&gt;
&lt;br /&gt;
=== Lessons Learned Processes ===&lt;br /&gt;
&lt;br /&gt;
Post-incident reviews often provide the most valuable risk management insights.&lt;br /&gt;
&lt;br /&gt;
A mature organisation treats incidents as opportunities for improvement rather than simply restoring service and moving on.&lt;br /&gt;
&lt;br /&gt;
== Design Philosophy ==&lt;br /&gt;
&lt;br /&gt;
Risk management should not become a barrier to progress.&lt;br /&gt;
&lt;br /&gt;
Every meaningful activity involves uncertainty.&lt;br /&gt;
&lt;br /&gt;
The purpose of risk management is to provide visibility, support informed decisions, and ensure organisations understand the consequences of their choices.&lt;br /&gt;
&lt;br /&gt;
The most effective risk management practices are often the least visible. They are embedded within planning, architecture, operations, governance, and culture.&lt;br /&gt;
&lt;br /&gt;
When done well, risk management does not eliminate uncertainty.&lt;br /&gt;
&lt;br /&gt;
It allows organisations to move forward with their eyes open.&lt;br /&gt;
&lt;br /&gt;
== Related Topics ==&lt;br /&gt;
&lt;br /&gt;
* [[Business Continuity]]&lt;br /&gt;
* [[Disaster Recovery]]&lt;br /&gt;
* [[Incident Management]]&lt;br /&gt;
* [[Information Security Management]]&lt;br /&gt;
* [[Project Governance]]&lt;br /&gt;
* [[ISO 9001]]&lt;br /&gt;
* [[ISO 27001]]&lt;br /&gt;
* [[Change Management]]&lt;br /&gt;
* [[Infrastructure Resilience]]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&lt;br /&gt;
* ISO 31000 – Risk Management Guidelines&lt;br /&gt;
* ISO 9001 – Quality Management Systems&lt;br /&gt;
* ISO 27001 – Information Security Management Systems&lt;br /&gt;
* NIST Risk Management Framework (RMF)&lt;br /&gt;
* NIST Cybersecurity Framework (CSF)&lt;br /&gt;
* COBIT Governance Framework&lt;br /&gt;
* PMI Project Management Body of Knowledge (PMBOK)&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>