Identify subject matter experts (SMEs) for risk assessments. Run risk assessments to identify, document, evaluate exposure to, and quantify/score risks and their components. Record the results in a risk register.
Prioritize inherent and residual risks and risk response/treatment strategies, based on the organization's risk tolerance — that is, the risk levels that are acceptable to the organization.
Assign ownership to prioritized risks, and assign responsibility and accountability for developing risk response/treatment strategies. Initiate implementation of risk response/treatment strategies, where risks can be avoided, accepted, mitigated, or transferred. Interact with incident management functions.