Risk management

Example of risk assessment: A NASA model showing areas at high risk from impact for the International Space Station

Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events[1] or to maximize the realization of opportunities.

Risks can come from various sources including uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. There are two types of events i.e. negative events can be classified as risks while positive events are classified as opportunities. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.[2][3] Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk; whereas the confidence in estimates and decisions seem to increase.[1] For example, one study found that one in six IT projects were "black swans" with gigantic overruns (cost overruns averaged 200%, and schedule overruns 70%).[4]


For the most part, these methods consist of the following elements, performed, more or less, in the following order.

  1. identify, characterize threats
  2. assess the vulnerability of critical assets to specific threats
  3. determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
  4. identify ways to reduce those risks
  5. prioritize risk reduction measures
Other Languages
čeština: Risk management
한국어: 위험관리
Bahasa Indonesia: Manajemen risiko
íslenska: Áhættustýring
lietuvių: Rizikos valdymas
Bahasa Melayu: Pengurusan risiko
Nederlands: Risicobeheer
svenska: Riskhantering
Türkçe: Risk yönetimi
українська: Ризик-менеджмент
Tiếng Việt: Quản lý rủi ro
中文: 风险管理