2.3. Risk Management
💡 First Principle: Risk management is not about eliminating risk — it is about making informed, documented decisions about which risks to accept, which to reduce, and how much organizational resources to spend on each. Every organization carries risk; the question is whether the risk portfolio is deliberate or accidental.
Risk management is Domain 1's largest single topic and arguably the concept most tested across the entire CISSP exam. Every domain's controls are ultimately risk management tools — they reduce specific risks. The vocabulary from Section 1.4 gets operationalized here into formal frameworks, calculation methods, and governance processes.
⚠️ Domain Trap: Risk management vocabulary is used with surgical precision on the CISSP. "Residual risk" is not the same as "inherent risk." "Risk tolerance" is not the same as "risk appetite." A risk framework is not the same as a risk assessment methodology. These distinctions appear in distractors.
⚠️ Common Misconception: "Quantitative analysis is always better than qualitative because it produces numbers." The numbers in quantitative analysis (ALE, SLE, ARO) are themselves estimates — often based on historical data that doesn't exist in sufficient quantity. Qualitative analysis, properly conducted with experienced practitioners, can be more accurate and actionable than precise-looking numbers built on shaky assumptions.
