Editing Risk management (section)

==Introduction==
Risk is defined as the possibility that an event will occur that adversely affects the achievement of an objective. Uncertainty, therefore, is a key aspect of risk.<ref>{{Cite book |last=Hardy |first=Karen |url=https://books.google.com/books?id=yRTyBQAAQBAJ |title=Enterprise Risk Management: A Guide for Government Professionals |date=2014-11-10 |publisher=John Wiley & Sons |isbn=978-1-118-91102-0 |pages=121 |language=en}}</ref> Risk management appears in scientific and management literature since the 1920s.<ref>{{Cite book |last=Yang |first=Kai |url=https://books.google.com/books?id=3srlEAAAQBAJ |title=Quality in the Era of Industry 4.0: Integrating Tradition and Innovation in the Age of Data and AI |date=2024-01-04 |publisher=John Wiley & Sons |isbn=978-1-119-93244-4 |pages=242 |language=en}}</ref> It became a formal science in the 1950s, when articles and books with "risk management" in the title also appear in library searches.<ref>{{Cite journal|last=Dionne|first=Georges|date=2013|title=Risk Management: History, Definition, and Critique: Risk Management|url=https://onlinelibrary.wiley.com/doi/10.1111/rmir.12016|journal=Risk Management and Insurance Review|language=en|volume=16|issue=2|pages=147–166|doi=10.1111/rmir.12016|s2cid=154679294}}</ref> Most of research was initially related to finance and insurance.<ref>{{Cite web |title=Risk Management and Insurance |url=https://www.nber.org/reporter/summer-1999/risk-management-and-insurance |access-date=2024-12-03 |website=NBER |language=en}}</ref><ref>{{Cite web |date=2022-11-30 |title=Forex ea |url=https://cheapforexea.com |access-date=2024-12-03 |language=en-US}}</ref> One popular standard clarifying vocabulary used in risk management is ''ISO Guide 31073:2022'', "Risk management — Vocabulary".<ref name="voc" />

Ideally in risk management, a prioritization process is followed.<ref>{{Cite news |date=2021-06-30 |title=Risk Management- Em Asst |url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3737157 |access-date=2024-12-03 |work= |ssrn=3737157 |language=en-GB}}</ref> Whereby the risks with the greatest loss (or impact) and the greatest [[probability]] of occurring are handled first. Risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be tricky, and organisation has to balance resources used to mitigate between risks with a higher probability but lower loss, versus a risk with higher loss but lower probability. [[Opportunity cost]] represents a unique challenge for risk managers. It can be difficult to determine when to put resources toward risk management and when to use those resources elsewhere. Again, ideal risk management optimises resource usage (spending, manpower etc), and also minimizes the negative effects of risks.

===Risks vs. opportunities===
Opportunities first appear in academic research or management books in the 1990s. The first PMBoK [[Project Management Body of Knowledge]] draft of 1987 doesn't mention opportunities at all.

Modern project management school recognize the importance of opportunities. Opportunities have been included in project management literature since the 1990s, e.g. in PMBoK, and became a significant part of project risk management in the years 2000s,<ref>{{Cite web|title=The ascent of risk|url=https://www.pmi.org/learning/library/ascent-risk-pmbok-guide-7618|access-date=2021-12-13|website=www.pmi.org|language=en}}</ref> when articles titled "opportunity management" also begin to appear in library searches. [[Opportunity management]] thus became an important part of risk management.

Modern risk management theory deals with any type of external events, positive and negative. Positive risks are called ''opportunities''. Similarly to risks, opportunities have specific mitigation strategies: exploit, share, enhance, ignore.

In practice, risks are considered "usually negative". Risk-related research and practice focus significantly more on threats than on opportunities. This can lead to negative phenomena such as [[target fixation]].<ref>{{Cite web|last=|first=|last2=|last3=|last4=|last5=|last6=|first6=|date=2021|title=Target fixation in risk management. Arguments for the bright side of risk|url=https://blog.stefanmorcov.com/2021/03/target-fixation-in-risk-management.html|access-date=2021-12-13|website=Stefan Morcov|language=en}}</ref>

===Method===
For the most part, these methods consist of the following elements, performed, more or less, in the following order:

# Identify the [[Cyber threat intelligence|threats]].
# Assess the vulnerability of critical assets to specific threats.
# Determine the [[risk]] (i.e. the expected likelihood and consequences of specific attacks on specific assets).
# Identify ways to reduce those risks.
# Prioritize risk reduction measures.
'''The Risk management''' knowledge area, as defined by the [[Project Management Body of Knowledge]] PMBoK, consists of the following processes:

# '''Plan Risk Management''' – defining how to conduct risk management activities.
# '''Identify Risks''' – identifying individual project risks as well as sources.
# '''Perform Qualitative Risk Analysis''' – prioritizing individual project risks by assessing probability and impact.
# '''Perform Quantitative Risk Analysis''' – numerical analysis of the effects.
# '''Plan Risk Responses''' – developing options, selecting strategies and actions.
# '''Implement Risk Responses''' – implementing agreed-upon risk response plans. In the 4th Ed. of PMBoK, this process was included as an activity in the Monitor and Control process, but was later separated as a distinct process in PMBoK 6th Ed.<ref name="Morcov2021">Morcov, Stefan (2021). Managing Positive and Negative Complexity: Design and Validation of an IT Project Complexity Management Framework. KU Leuven University. Available at https://lirias.kuleuven.be/retrieve/637007</ref>
# '''Monitor Risks''' – monitoring the implementation. This process was known as Monitor and Control in the previous PMBoK 4th Ed., when it also included the "''Implement Risk Responses''" process.

===Principles===
The [[International Organization for Standardization]] (ISO) identifies the following principles for risk management:<ref name="iso"/>

* Create [[value (economics)|value]] – resources expended to mitigate risk should be less than the consequence of inaction.
* Be an integral part of organizational processes.
* Be part of the [[decision-making]] process.
* Explicitly address [[uncertainty]] and assumptions.
* Use a systematic and structured process.
* Use the best available information.
* Be flexible.
* Take human factors into account.
* Be transparent and inclusive.
* Be dynamic, iterative and responsive to change.
* Be capable of continual improvement and enhancement.
* Continual reassessment.

===Mild versus wild risk===
[[Benoit Mandelbrot]] distinguished between "mild" and "wild" risk and argued that risk assessment and management must be fundamentally different for the two types of risk.<ref>{{Cite book|last=Mandelbrot, Benoit and Richard L. Hudson|title=The (mis)Behaviour of Markets: A Fractal View of Risk, Ruin and Reward|publisher=Profile Books|year=2008|isbn=9781846682629|location=London}}</ref> Mild risk follows [[Normal distribution|normal]] or near-normal [[probability distribution]]s, is subject to [[Regression toward the mean|regression to the mean]] and the [[law of large numbers]], and is therefore relatively predictable. Wild risk follows [[fat-tailed distribution]]s, e.g., [[Pareto distribution|Pareto]] or [[power-law distributions]], is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.