Could any one define the Risk Management Process?

Risk planning

Risk identification

Risk quantitative

Risk qualitative

Risk response

Identify, assess, plan and implement

Assalamu AlaikumIt's a very broad subject Mr. Sarfaraz. At the basic level, Risk management is a comprehensive process that includes:

1.    Defining the scope - within which risks must be identified, assessed, responded and monitored

2.    Assess the risk - Risks within the scope are assessed and classified according to their impacts. You can use different ‘methodologies’ for Risk Assessment and they follow two approaches:1.    Quantitative2.    Qualitative(refer to ‘Guide for Conducting Risk Assessments’2.3.2)

3.    Risk Response - There are four ways to respond to an assessed risk

1.    Treat -  the risk by implementing necessary controls

2.    Terminate – whatever that’s causing the risk because the other three options are not feasible

3.    Transfer – the risk to a third party. e.g., Insurance Companies

4.    Tolerate – the risk; move on doing nothing about it, hoping of the best.

4.    Monitor - the risk so that they have less chance of materializing or that you are prepared if they do. In Risk Management philosophy risk is only mitigated never eliminated. So, even after you ‘treat’ a risk, ‘Residual Risk’ may remain.

Please use the following links. They are bit dry, but excellent sources of information. They are also adopted worldwide for Information & IT Security

Managing Information Security Risk http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

Guide for Conducting Risk Assessmentshttp://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

Guide for Applying the Risk Management Framework to Federal Information Systemshttp://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

http://www.southwales-fire.gov.uk/English/aboutus/fireservicepublications/Documents/Risk%20Management%20Guidelines.pdf

Hope this helps. Good Luck.

regards,

Shereef