Risk management is formally defined as “The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.” The aim of risk management is “to strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks.” Hence, risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.
It is important that departments and their IT users understand what risks exist in their IT environment and how those risks can be reduced or even eliminated. The aim of risk management is “to aid managers to strike an economic balance between the costs associated with the risks and the costs of protective measures to lessen those risks.” It is both prudent practice and, in many cases, a legal necessity.
 National Information Systems Security Glossary, NSTISSI No. 4009 and AFR 205-16, AFR 700-10. Unless otherwise noted, all definitions in quotation marks are appropriated from a National Security Agency (NSA) curriculum used by the National Colloquium for Information System Security Education (NCISSE).
Last updated: 1/2/2014