Risk Management is a deceptively broad term. Many common IT practices stem from a deliberate, or more often, subconscious desire to manage risk. For example, change management programs are intended to reduce risk associated with planned and unplanned changes to the environment. Information security programs are another common risk management activity.

At it’s core, risk management is the assessment of business risks and the deliberate mitigation or acceptance of identified risks.  The process of identifying and rating risks is called a Risk Assessment. Standard frameworks have been developed from various disciplines, such as Business Continuity and Information Security, to aid in identifying and ranking risks.  Viewed through the lens of a risk assessment, the necessary depth of mitigation can be defined and justified.

With this site, I intend to convey what I have learned about risk management during my career, and continue to learn.  Expect the content to be slanted toward the security side of the scale, with some disaster recovery & business continuity thrown in.