Risk Management

From CIPedia
Jump to: navigation, search

Definitions

European Definitions

Council of Europe

Risk management is the process whereby decisions are made and actions implemented to eliminate or reduce the effects of identified hazards. [1]


EU

[CBRN] The process, distinct from Risk Assessment, of weighing policy alternatives, in consultation with all interested parties, considering risk assessment and other factors relevant for the health protection of workers and consumers, the protection of the environment and for the promotion of fair trade practices, and, if needed, selecting appropriate prevention and control options. [2]

ENISA

Risk Management is the process, distinct from risk assessment, of weighing policy alternatives in consultation with interested parties, considering risk assessment and other legitimate factors, and selecting appropriate prevention and control options. [3]

Other International Definitions

CARICOM

Risk management is the systematic approach and practice of managing uncertainty to minimise potential harm and loss. [4]


NATO CEP / EAPC

A deliberate process of understanding risk and deciding upon and implementing actions to reduce risk to a defined level, which is an acceptable level of risk at an acceptable cost. This approach is characterised by identifying, measuring, and controlling risks to a level commensurate with an assigned level. [5]


UNISDR

The systematic approach and practice of managing uncertainty to minimize potential harm and loss. [6]

According to UNISDR, risk management comprises risk assessment and analysis, and the implementation of strategies and specific actions to control, reduce and transfer risks. It is widely practiced by organizations to minimise risk in investment decisions and to address operational risks such as those of business disruption, production failure, environmental damage, social impacts and damage from fire and natural hazards. Risk management is a core issue for sectors such as water supply, energy and agriculture whose production is directly affected by extremes of weather and climate.

Gestion des risques: Approche systémique et pratique managériale pour limiter les dommages et les pertes potentiels. [7]

Управление риском: Системный подход и практические действия, направленные на устранение неопределенности для снижения потенциального вреда и ущерба. [8]

Gestión del riesgo: El enfoque y la práctica sistemática de gestionar la incertidumbre para minimizar los daños y las pérdidas potenciales. [9]

إدارة المخاطر : المنهج النمطي والممارسات لإدارة مخاطر محتملة للتقليل من احتمالات الضرر والخسارة. [10]

Manajemen risiko: Pendekatan dan praktik sistematis dalam mengelola ketidakpastian untuk meminimalkan potensi kerusakan dan kerugian. [11]

Pengurusan Risiko: Pendekatan dan pelaksanaan sistematik dalam menguruskan ketidakpastian bagi meminimumkan kerosakan dan kerugian. [12]

Pamamahala sa Peligro: Ang sistematkong pamamaraan at praktika ng pamamahala ng kawalang-katiyakan para mabawasan ang posibilidad ng pinsala at kawalan. [13]


National Definitions

Argentina

Gestión de Riesgos: Actividades coordinadas para dirigir y controlar una organización en lo que concierne al riesgo. [14]
NOTA. La gestión de riesgos usualmente incluye la evaluación de riesgos, el tratamiento de riesgos, la aceptación de riesgos y la comunicación de riesgos.

Australia

Risk management is the systematic application of management policies, procedures and practices to the tasks of identifying, analyzing, evaluating, treating and monitoring risk. [15]


Coordinated activities to direct and control an organization with regard to risk. [16]

Risk management - The implementation of strategies to avoid unacceptable consequences. In the context of climate change adaptation and mitigation are the two broad categories of action that might be taken to avoid unacceptable consequences. [17]


Canada

Risk management is the use of policies, practices and resources to analyze, assess and control risks to health, safety, environment and the economy.

Gestion des risques: Recours à des politiques, à des pratiques et à des ressources pour analyser, évaluer et contrôler les risques pour la santé, la sécurité, l’environnement et l’économie. [18] [19]


Gestion des risques: Mesures prises pour garantir ou améliorer la sécurité d’une installation et de son fonctionnement (OCDE, 1992). [19]


Cape Verde

Gestão de risco: Abordagem sistemática e prática de gestão de incertezas para minimizer potenciais danos e perdas. [20]
A gestão de riscos compreende a avaliação de riscos e análise e da implementação de estratégias e acções específicas para controlar, reduzir e transferir riscos (redução de riscos). É bastante praticada por organizações para minimizar o risco nas decisões de investimento e para enfrentar os riscos operacionais, tais como de interrupção de negócios, falha de produção, danos ambientais, impactos sociais e danos causados pelo fogo e desastres naturais. A gestão de riscos é uma questão central para sectores tais como o de abastecimento de água, energia e agricultura, cuja produção é directamente afectado por eventos climáticos extremos.

Chile

Gestión del riesgo: Proceso social complejo que conduce al planeamiento y aplicación de políticas, estrategias, instrumentos y medidas orientadas a impedir, reducir, prever y controlar los efectos adversos de fenómenos peligrosos sobre la población, los bienes y servicios y el ambiente. [21]
Acciones integradas de reducción de riesgos a través de actividades de prevención, mitigación, preparación para, y atención de emergencias y recuperación post impacto.

Colombia

Manejo de Riesgos: Actividades integradas para evitar o mitigar los efectos adversos en las personas, los bienes, los servicios y el medio ambiente, mediante la planeación de la prevención y la preparación para la atención de la población potencialmente afectada. [22]

Administratión del Riesgo: Conjunto de elementos de control que al interrelacionarse, permiten a la Institución evaluar aquellos eventos negativos tanto internos como externos, que pueden afectar o impedir el logro de sus objetivos institucionales o los eventos positivos, que permiten identificar oportunidades para un mejor cumplimiento de su función. [23]


Cuba

Gestión del Riesgo: Aproximación sistemática, basada en la valoración de las amenazas y las vulnerabilidades, para la determinación de las contra-medidas necesarias para la protección de la información o los servicios y recursos que la soportan. [24]


Czech Republic

Řízení rizik: Koordinované činnosti pro vedení a řízení organizace s ohledem na rizika. [25]

Risk management are coordinated activities to manage and control an organization in view of the risks. [26]



El Salvador

Gestión de riesgos: Proceso social complejo que conduce al planeamiento y aplicación de políticas, estrategias, instrumentos y medidas orientadas a impedir, reducir, prever y controlar los efectos adversos de fenómenos peligrosos sobre la población, los bienes y servicios y el ambiente. Acciones integradas de reducción de riesgos a través de actividades de prevención, mitigación, preparación para, y atención de emergencias y recuperación post impacto.[27]


Finland

Riskienhallinta: järjestelmällinen toiminta, joka sisältää riskianalyysin sekä tarvittavien toimenpiteiden suunnittelun, toteutuksen, seurannan ja korjaavat toimenpiteet.

Risk management is a systematic action which includes risk analysis as well as the planning, execution and follow-up of operations needed and the corrective operations. -unofficial translation- [28]


Germany

The totality of measures to minimise the risk situation, weighing up the strategic alternatives (optional courses of action) in consultation with the parties concerned and according due consideration to the Risk Assessment and other factors worthy of consideration. [29]


Risikomanagement: Kontinuierlich ablaufendes, systematisches Verfahren zum zielgerichteten Umgang mit Risiken, das die Analyse und Bewertung von Risiken sowie die Planung und Umsetzung von Maßnahmen, insbesondere zur Risikovermeidung, -minimierung und -akzeptanz, beinhaltet. [30]

Germany

Risikomanagement: alle Aktivitäten mit Bezug auf die strategische und operative Behandlung von Risiken bezeichnet, also alle Tätigkeiten, um Risiken für eine Institution zu identifizieren, zu steuern und zu kontrollieren. [31]


Guatemala

Gestión de Riesgos: Estrategias de prevención, preparación, mitigación, respuesta y recuperación ante eventos de orden natural o antropogénico, social y tecnológico, que puedan afectar a la población, sus bienes y entorno. [32]


India

Risk management (in ICT) is the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources. [33]


Ireland

Risk management are actions taken to reduce the probability of an event occurring or to mitigate its consequences. [34]


Japan

リスク管理 : システム資源に影響を与える可能性がある不確実なイベントを識別、統制し、根絶もしくは最小化する過程.

(Cyber) Risk management is the process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. [35]

(リスク管理 : リスクを特定、アセスメントし、リスクに対応するプロセス。 [36]


Kiribati

Babaire aika a kakatauraoaki imwain kanganga aika a kona na riki ni irekereke ma bibitakin kanoan te bong. [37]

Risk management involves doing conscious, planned activities to address climate risk.


Liberia

Risk Management: Identifying vulnerabilities in a network and developing a strategy to protect against attack. [38]


Luxembourg

Gestion des risques: Activités coordonnées dans le but de diriger et piloter une organisation en prenant en compte les risques. [39]


Netherlands

Risk management is the process that aims to identify and control the risk.

Risicomanagement is het proces dat beoogt risico's te inventariseren en te beheersen. [40]


[HEALTH sector]
Risico management/manipulatie: Het proces van afweging van beleidsalternatieven om geschatte risico’s te accepteren, minimaliseren of reduceren en de geschikte mogelijkheden te selecteren en uitvoeren.

Risk management: The process of weighing policy alternatives to accept, minimize or reduce assessed risks and to select and implement appropriate options. [41]


New Zealand

Risk management is the process of analysing exposure to risk, and determining how to manage that exposure. [42]

The level of risk is arrived at by examining the likelihood and consequences of the hazard and whether the course of action is acceptable for the outcome that needs to be achieved. (Likelihood x Consequences = Risk).

Norway

Risikostyring er hele prosessen med å definere hvilke områder og uønskede hendelser man skal gjøre risikoanalyser av, gjennomføre risikoanalysene, evaluere risikoresultatene (om risikonivået er forsvarlig eller ikke) og iverksette eventuelle risikoreduserende tiltak. [43]

Risk management is the entire process of defining in what areas and for what adverse events risk analyses should be conducted, conducting the risk analyses, evaluating the risk results (whether the level of risk is justifiable or not) and implementing any risk-reduction measures. [44]


Peru

Gestión del Riesgo de Desastres (GRD): Es un proceso social cuyo fin último es la prevención, la reducción y el control permanente de los factores de riesgo de desastre en la sociedad, así como la adecuada preparación y respuesta ante situaciones de desastre, considerando las políticas nacionales con especial énfasis en aquellas relativas a material económica, ambiental, de seguridad, defensa nacional y territorial de manera sostenible. [45]


Philippines

Risk Management: The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. [46]

Risk Management: The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes: 1. the conduct of a risk assessment; 2. the implementation of a risk mitigation strategy; and 3. Employment of techniques and procedures for the continuous monitoring of the security state of the information system. [47]

Risk Management is the process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. [48]


Poland

Zarządzanie ryzykiem – skoordynowane działania w zakresie zarządzania cyberbezpieczeństwem w odniesieniu do oszacowanego ryzyka. [49]

Portugal

[Definição]Tratamento do Risco: Atenuação, eliminação, redução (mediante uma combinação adequada de medidas técnicas, materiais, organizativas e processuais), transferência ou monitorização do risco. [50]


Republic of Trinidad & Tobago

The systematic approach and practice of managing uncertainty to minimize potential harm and loss. [51]

Romania

Managementul riscurilor: Proces sistematic şi riguros de identificare, analiză, planificare, control şi comunicare a riscurilor. Fiecare risc identificat trece, secvenţial, prin celelalte funcţiuni, în mod continuu, concurent şi iterativ. [52]
Riscurile sunt uzual urmărite, în paralel cu identificarea şi analizarea unora noi, iar planurile de atenuare pentru un risc pot conduce la descoperirea altor riscuri.

Risk management (in ICT) is a complex, continuous and flexible identification, evaluation and fighting of cyber security risks, based on the use of complex tools and techniques to prevent losses of any kind.

Managementul riscului: un proces complex, continuu şi flexibil de identificare, evaluare şi contracarare a riscurilor la adresa securităţii cibernetice, bazat pe utilizarea unor tehnici şi instrumente complexe, pentru prevenirea pierderilor de orice natură. [53]


Serbia

управљање ризиком је систематичан скуп мера који укључује планирање, организовање и усмеравање активности како би се обезбедило да ризици остану у прописаним и прихватљивим оквирима. [54]


Singapore

Risk Management: Coordinated activities to direct and control an organisation with regard to risk. [55]


Spain

Gestión de Riesgos: Actividades coordinadas para dirigir y controlar una organización con respecto a los riesgos. [56]

Gestión del riesgo (Risk Management): (OTAN) Aproximación sistemática, basada en la valoración de las amenazas y las vulnerabilidades, para la determinación de las contra-medidas necesarias para la protección de la información o los servicios y recursos que la soportan. [57]


Switzerland

Unter Risikomanagement werden die koordinierten Aktivitäten zur Steuerung und Lenkung einer Organisation in Bezug auf Risiken, d. h. auf Auswirkungen von Unsicherheiten auf die Ziele der Organisation verstanden. [58]

On entend par gestion des risques l’ensemble des activités coordonnées dans le but de diriger et d’orienter une organisation par rapport aux risques, c.-à-d. par rapport aux conséquences que peuvent avoir les incertitudes sur les objectifs de l’organisation. [59]


United Arab Emirates

Risk Management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects (HB167: 2006 Security Risk Management). [60]


United Kingdom (UK)

Risk Management is all activities and structures directed towards the effective assessment and management of risks and their potential adverse impacts. [61]

Risk Management is a process of identifying, understanding, managing, controlling, monitoring and communicating risk. [62]

Risk Management is putting in place plans to avoid unacceptable consequences of risks. [63]


United States

DHS
Process of identifying, analyzing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level at an acceptable cost. [64]

NIST
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process. (Source: CNSSI-4009; NIST SP 800-30; NIST SP 800-39)

The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes: (i) establishing the context for risk-related activities; (ii) assessing risk; (iii) responding to risk once determined; and (iv) monitoring risk over time [65]

US-CERT
The purpose of risk management is to identify, analyze, and mitigate risks to critical service and IT assets that could adversely affect the operation and delivery of services. [66]

White House
Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents.  [67]
Information sharing facilitates and supports all of these activities.

Standard Definition

IETF

The process of identifying, measuring, and controlling (i.e., mitigating) risks in information systems so as to reduce the risks to a level commensurate with the value of the assets protected. [68]

ISO/IEC 27000:2014, ISO 31000:2009 and ISO 22301:2012

These standards defines risk management as:

Risk amangement: Coordinated activities to direct and control an organization with regard to risk. [69] [70] [71])
Definition is based on the ISO Guide 73:2009. [72]

Risk management process is the systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk. [69] (based on the ISO Guide 73:2009 [72]). ISO/IEC 27005 uses the term ‘process’ to describe risk management overall. The elements within the risk management process are termed ‘activities’.

See also

Notes

  1. GLOSSAIRE MULTILINGUE DE LA GESTION DU RISQUE pour usagers francophones (2007)/European Centre of Technological Safety (TESEC) - TESEC-EUR-OPA 2001)
  2. European Commission's CBRN Glossary, 2012
  3. ENISA Risk Glossary
  4. Caribbean Disaster Emergency Management Agency (CDEMA) Regional Comprehensive Disaster Management Strategy and Results Framework 2014-2024
  5. NATO EAPC(SCEPC) lexicon.
  6. 2009 UNISDR Terminology on Disaster Risk Reduction
  7. UNISDR glossary
  8. UNISDR glossary
  9. UNISDR glossary
  10. UNISDR glossary
  11. UNISDR glossary in Bahasa
  12. UNISDR glossary in Malay
  13. UNISDR glossary in Tagalog
  14. Oficina Nacional de Tecnologías de Información ADMINISTRACION PUBLICA NACIONAL Disposición 3/2013 - Apruébase la “Política de Seguridad de la Información Modelo” (2013)
  15. Australian Emergency Management Glossary, Emergency Management Australia (1998)
  16. Australia AS NZS 5050 (2010)
  17. ADAPTATION TO CLIMATE CHANGE: KEY TERMS, E. Levina and D. Terpak, OECD (2006) - derived from (Australian Greenhouse Office. 2003)
  18. An Emergency Management Framework for Canada (Second Edition)
  19. 19.0 19.1 Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
  20. Avaliação das Necessidades Pós- Desastre (PDNA) ERUPÇÃO VULCÂNICA NO FOGO 2014-2015, Cape Verde
  21. GUÍA ANÁLISIS DE RIESGOS NATURALES PARA EL ORDENAMIENTO TERRITORIAL Subsecretaría de Desarrollo Regional y Administrativo (SUBDERE) Primera Edición, Junio 2011
  22. Glosario Policia Colombia
  23. Glosario Policia Colombia
  24. Glossary of Cyber terms/Glosario de términos, Centro de Seguridad del Ciberespacio
  25. Výkladový slovník kybernetické bezpečnosti (2013)
  26. Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts (Act on Cyber Security)
  27. Glosario de Riesgo, Ministerio de Medio Ambiente y Recursos Naturales, El Salvador
  28. Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)
  29. Protection of Critical Infrastructures – Baseline Protection Concept: Recommendation for Companies, BMI.
  30. Glossar BBK
  31. BSI Glossary
  32. Plan Estratégico de Seguridad de la Nación 2016-2020, Guatemala
  33. India's DGQA Cyber Security Policy (2015)
  34. A FRAMEWORK FOR MAJOR EMERGENCY MANAGEMENT (APPENDICES)
  35. RFC2828 (Japanese translation)
  36. 重要インフラのサイバーセキュリティを 向上させるためのフレームワーク (2014)
  37. Kiribati BI-LINGUAL GLOSSARY OF CLIMATE CHANGE TERMS, Original translations by Dr Temakei Tebano & Etita Teiabauri, 2008
  38. Government of Liberia’s Policy for the Telecommunications and Information Communications Technology (ICT) sectors
  39. Glossaire
  40. Zakboekje Preventie Cybercrime (2008
  41. Patiëntveiligheid Definitielijst (2005)
  42. The New Zealand Coordinated Incident Management System, Department of the Prime Minister and Cabinet, New Zealand. (2014)
  43. DSB, National Risikobild 2014
  44. DSB, National Risk Analysis 2014
  45. El Centro Nacional de Estimación, Prevención y Reducción del Riesgo de Desastres - CENEPRED, Glosario de Términos, Peru
  46. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  47. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  48. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  49. U S TAWA z dnia o krajowym systemie cyberbezpieczeństwa / Polish (draft) law on the national cybersecurity system (2018)
  50. Glossário Centro National de Cibersegurança Portugal
  51. Comprehensive Disaster Management Policy Framework for Trinidad and Tobago
  52. GLOSAR de termeni din domeniul ordinii şi siguranţei publice, MINISTERUL ADMINISTRAŢIEI ŞI INTERNELOR DIRECŢIA GENERALĂ ORGANIZARE, PLANIFICARE MISIUNI ŞI RESURSE
  53. Hotărârea nr. 271/2013 pentru aprobarea Strategiei de securitate cibernetică
  54. ЗАКОН О ИНФОРМАЦИОНОЈ БЕЗБЕДНОСТИ (Law on Information Security), Serbia
  55. Foresight: A Glossary, Civil Service College, Singapore
  56. CIBERSEGURIDAD. RETOS Y AMENAZAS A LA SEGURIDAD NACIONAL EN EL CIBERESPACIO, MINISTERIO DE DEFENSA (2010)
  57. CIBERSEGURIDAD. RETOS Y AMENAZAS A LA SEGURIDAD NACIONAL EN EL CIBERESPACIO, MINISTERIO DE DEFENSA (2010)
  58. Leitfaden Schutz kritischer Infrastrukturen 2015 pointing at ISO 31000
  59. Guide pour la protection des infrastructures critiques 2015/Glossaire des risques, Office fédéral de la protection de la population, 29.4.2013
  60. Abu Dhabi Safety and Security Planning Manual
  61. Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
  62. Cabinet Office, Section A: Introduction, Definitions and Principles of Infrastructure Resilience n.d.
  63. The National Adaptation Programme: Making the country resilient to a changing climate, UK Government (2013)
  64. DHS Risk Lexicon 2010 Edition, September 2010
  65. NIST Special Publication 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations (April 2013)
  66. Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)
  67. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (May 11, 2017
  68. IETF RFC449 Internet Security Glossary 2
  69. 69.0 69.1 ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
  70. ISO/IEC 31000:2009, Risk management -- Principles and guidelines
  71. ISO 22301:2012 Societal security -- Business continuity management systems --- Requirements
  72. 72.0 72.1 ISO Guide 73:2009 Risk management -- Vocabulary