2.3.1. Risk Management Concepts and Frameworks
💡 First Principle: A risk management framework provides the systematic process for identifying, analyzing, responding to, and monitoring risks. Frameworks don't make risk decisions — they create the structure within which humans make those decisions consistently and accountably.
Core risk vocabulary — precision required:
| Term | Definition | Exam Distinction |
|---|---|---|
| Risk Appetite | Amount of risk an organization is willing to pursue in achieving objectives | Strategic, set by board — "We'll accept up to X risk to enter new markets" |
| Risk Tolerance | Acceptable deviation from risk appetite — the operating range | Tactical — risk appetite is the goal; tolerance is the acceptable variance |
| Inherent Risk | Risk level before any controls are applied | Theoretical baseline — rarely what you actually manage |
| Residual Risk | Risk remaining after controls are applied | What you actually live with — what management must formally accept |
| Total Risk | Risk if you did nothing — theoretical maximum | = Threats × Vulnerabilities × Asset Value |
| Risk Register | Formal documentation of identified risks, assessments, owners, responses | Living document; updated continuously |
Major risk management frameworks:
NIST Risk Management Framework (RMF) — Six-step process mandatory for US federal systems: Categorize → Select → Implement → Assess → Authorize → Monitor. The Authorize step explicitly requires a senior official to accept residual risk — creating accountability.
ISO 31000 — International, generic risk management standard. Applicable to any type of risk (not just information security). Provides principles and guidelines; not prescriptive.
FAIR (Factor Analysis of Information Risk) — Quantitative model for cyber risk. Decomposes risk into frequency of loss events × probable magnitude of loss. Produces dollar estimates useful for business cases.
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) — Organization-driven, practice-based approach. Team-based rather than expert-driven; good for organizations with limited security staff.
Risk ownership — every identified risk must have a named owner (usually a business manager, not the security team). The security team identifies and measures risk; business managers decide what to do about it. This separation is both practical (business context) and accountability-based (managers own the outcomes).
⚠️ Exam Trap: The ISC2 exam uses "risk acceptance" as a formal, documented management decision. Passively ignoring a risk is NOT risk acceptance — it is negligence. True risk acceptance requires: explicit acknowledgment of the risk, documentation, management signature, defined review period, and a monitoring plan.
Reflection Question: Your organization's risk register shows 847 open risk items. The CISO wants to prioritize remediation. What criteria would you use to sequence the risks, and what framework element ensures each risk has an accountable owner who actually makes the treatment decision?
