What is risk management?
Risk management is the process of identifying, analyzing, and mitigating uncertainties and threats that can harm your company or organization. No business venture or organizational action can completely avoid risk, of course, and working too hard to do so would mean foregoing potentially lucrative opportunities and strategies. Risk management as a discipline aims to help organizations prepare for the future by quantifying risks to the extent possible and balancing the risks of future actions against potential benefits.
How do organizations structure risk management operations?
Risk management has in some organizations traditionally been multicentric, with different departments or individuals within the org implementing risk management techniques in their work: Risk management is a component of good project management, for instance. IT leaders in particular must be able to integrate risk management philosophies and techniques into their planning, as IT infrastructure and spending can represent within the company an intense combination of risk (of cyberattacks, downtime, or botched rollouts, for instance) and benefits realized as increased capabilities or efficiencies.
Some companies, particularly those in heavily regulated industries, such as banks and hospitals, centralize risk in a single department under a top-level chief risk officer (CRO) or similar executive role. A CRO might find themselves with responsibilities that overlap or conflict with CSOs, CISOs, and CIOs, and in some orgs without a clearly defined risk leader, ambitious infosec or infosecurity execs might try to take on that role for themselves. In any case, IT leaders need to understand and apply risk management in the areas under their purview.