Risks occur when threats exploit vulnerabilities and result in a loss. The loss can compromise assets and core business functions. The impact of losses can be seen in business costs. The steps in risk management are to identify threats and vulnerabilities, which can then be paired to help determine the impact of the risk. By implementing controls, vulnerabilities can be reduced. The amount spent on controls should be proportional to the risk.
By choosing one of four techniques, avoiding, sharing or transferring, mitigating, or accepting, risks can be managed. The primary risk management technique is mitigating risk, which is also known as risk reduction or risk treatment. Deciding to accept a loss becomes easier if a CBA has been completed.