Corporate risk comes from a wide variety of areas – natural disasters, attacks, project failures, legal liabilities, financial markets, etc. To protect a business and its goals from these threats, organizations manage their risks through a defined process of Risk Management. ISO 31000, the international standard on Risk Management, establishes a process of governing the uncertainties of doing business. This process includes:
Establishment of the Risk Management context: define the scope of business goals for which risks will be evaluated, the stakeholders, the evaluation process, any constraints, and available resources.
Identification of risks: determine which scenarios would, if they occur, constitute a threat to business objectives. Assessment of business impact:assess each of the identified risks to identify the potential impact each would have on business as well as the probability that the scenario will occur.
Risk treatment: treatment of risks can include avoidance, mitigation, by reducing severity or likelihood of loss, sharing of risk (e.g. through insurance), and acceptance, for example for any risks so catastrophic or unlikely that they cannot be insured against.
Once the above Risk Management evaluation is complete, (ISO/IEC 27001) stipulates the preparation and communication of a Risk Treatment Plan that documents decisions about how risks are to be handled. This plan must be recorded, communicated to stakeholders, implemented, and regularly reviewed and reevaluated for continued relevance and accuracy.