Risk arises from what might be called the dynamic characteristic of reality.

This dynamism produces change through the outcomes, outcomes that may fall within a definable possibility set (a coin toss will produce either a head or tail outcome) or that may not may be defined or anticipated in any obvious way (e.g., space exploration in the early 1960s).

It is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. the effect of uncertainty on objectives, whether positive or negative (ISO 31000)

Risk Avoidance

Risk Reduction

Risk Sharing

Risk Retention

Eliminate Withdraw

Optimize Control Damage

Transfer Buy Protection

Accept Events Monitor

 Mitigate (control damage) to cause to become less harsh Optimize to make as perfect, effective, or functional as possible

To mitigate risk, organizations usually consider implementing a blend of the following three approaches: : Eliminate the threat by removing the flaw or weakness or the ability to exercise it. Controls to Prevent. These controls focus on preventing a security breach from occurring

: Implement controls that constrain the impact of a threat without the need to take additional actions. Controls to Support. These controls are generic and underlie most information technology security capabilities. : Implementing measures to detect the exercise of a vulnerability and take action to mitigate adverse outcomes. Controls to Detect and Recover. The controls in this category focus on the detection and recovery from a security breach.

It involves reducing the severity of the loss or the likelihood of the loss from occurring. Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied.