Risk Management — From Guesswork to Governance

Risk management is not about eliminating risk. It is about making structured, defensible decisions on which risks to take, reduce, transfer, or accept.

What Risk Actually Means

Risk = Threat × Vulnerability × Impact

CISSP mindset: Risk is not a technical problem. It is a business decision supported by security data.

Risk Lifecycle

1. Risk Identification

Identify assets
Identify threats
Identify vulnerabilities

2. Risk Analysis

Qualitative (High / Medium / Low)
Quantitative (ALE, SLE, ARO)

3. Risk Evaluation

Compare risk against risk appetite and tolerance.

4. Risk Treatment

Mitigate — reduce risk
Transfer — insurance / outsourcing
Avoid — stop activity
Accept — business decision

Inherent vs Residual Risk

Inherent Risk: Risk before controls

Residual Risk: Risk after controls

Controls do not eliminate risk. They only reduce it.

Risk Ownership

The most critical concept candidates miss:

Security identifies risk.
Business owns the decision.

If security teams are “accepting risk”, governance is already broken.

Risk Register

Risk description
Impact
Likelihood
Owner
Treatment decision
Status

A risk not tracked is a risk already accepted — just undocumented.

Brain Ticklers

Q1. A system has a known vulnerability but no active threat. Is risk present?

Q2. Who decides to accept a risk — security team or business owner?

Q3. After implementing controls, what is the remaining risk called?

Q4. Buying cyber insurance is which treatment option?

Q5. Removing a risky system completely is which treatment option?