Process

Addresses the day-to-day activities of identifying and protecting the organization from IT-related risks.

C1Assessment: Identify subject matter experts for risk assessments. Run risk assessments to identify, document, and quantify or score risks and their components. Assessments include the evaluation of exposure to risks and measurement of their potential impact.
C2Prioritization: Prioritize inherent and residual risks and risk handling strategies, based on the organization's risk tolerance – that is, what risk levels are acceptable.
C3Handling: Assign ownership to identified risks, and responsibility and accountability for developing risk handling strategies. Initiate implementation of risk handling strategies, where risks can be transferred, absorbed, or mitigated. Interact with incident management functions – see chapter 27, Service Provisioning (SRP).
C4Monitoring: Establish a risk register. Track and report risks and risk incidents, and validate the effectiveness of risk controls.