Taking risk is a necessary part of doing business in order to create opportunities and help deliver business objectives. For any organisation to operate successfully it needs to address risk and respond proportionately and appropriately to a level which is consistent with what risks an organisation is willing, or not, to tolerate. If an organisation does not identify and manage risk it can lead to business failure.
Principle of Risk Management
The organisation takes appropriate steps to identify, assess and understand security risks to the network and information systems supporting the delivery of essential services. This includes an overall organisational approach to risk management.
Risk management exists to help us to create plans for the future in a deliberate, responsible and ethical manner. This requires risk managers to explore what could go right or wrong in an organisation, a project or a service, and recognising that we can never fully know the future as we try to improve our prospects.
Risk can’t be abolished
The starting point of risk management is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other (classically to either avoid, reduce, transfer or retain). This can be easier said than done, particularly when confronted with a demand to ‘abolish risk’, as if that were an easy and simple option.
Uncertainty is an important part of risk
Compliance ≠ risk management