Decide how to manage the risks identified

Once the risks specific to the organisation have been determined, by whatever means, they must be managed so that the organisation is comfortable with the residual risk (i.e. the risk left after the chosen countermeasures have been implemented). It is now becoming understood that there is no such thing as 100% security in any organisation.

It has also been realized recently that it is impossible to avoid risk - one must quantify it and manage it. In all businesses there is a degree of risk, and that risks taken and turned to one's advantage are a 'good thing' and usually called 'opportunities'. Risks not understood or overlooked that affect business adversely are a 'bad thing'.

The idea of risk management is to identify all of the risks (good and bad) from a business perspective (therefore it is essential that the business is involved in the process) and that they are categorized and managed properly to the benefit of the organisation. Typically risk can be accepted, addressed (typically by implementing controls) or assigned (typically contractually or through insurance).

This process will produce the Organisation Risk Strategy with assigned accountabilities and responsibilities.

An Introduction To Information, Network and Internet Security
Decide how to manage the risks identified Once the risks specific to the organisation have been determined, by whatever means, they must be managed so that the organisation is comfortable with the residual risk (i.e. the risk left after the chosen countermeasures have been implemented). It is now becoming understood that there is no such thing as 100% security in any organisation. It has also been realized recently that it is impossible to avoid risk - one must quantify it and manage it. In all businesses there is a degree of risk, and that risks taken and turned to one's advantage are a 'good thing' and usually called 'opportunities'. Risks not understood or overlooked that affect business adversely are a 'bad thing'. The idea of risk management is to identify all of the risks (good and bad) from a business perspective (therefore it is essential that the business is involved in the process) and that they are categorized and managed properly to the benefit of the organisation. Typically risk can be accepted, addressed (typically by implementing controls) or assigned (typically contractually or through insurance). This process will produce the Organisation Risk Strategy with assigned accountabilities and responsibilities.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security