Every organisation faces uncertainty and this is often a key challenge in achieving its objectives. Much of this uncertainty comes from an inability to accurately predict future events.
Generally, we can define a potential future event that could affect an organisation’s objectives as a ‘risk’ and the process of forecasting and responding to these potential future events as ‘risk management’. Many existing risk management methodologies attempt to improve the process of understanding and responding to potential future events.
The first decision for an organisation will be how much risk management to do to strike the right balance between the amounts of effort spent on risk management activity versus the benefits brought about by the insight it provides.
In this paper we will use a set of definitions that have been used by many organisations to effectively manage risk, explore the concepts around the topic and suggest how organisations can evolve their thinking about cyber risk while also outlining some challenges.