Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.

The strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).

Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase.^[1] For example, it has been shown that one in six IT projects experience cost overruns of 200% on average, and schedule overruns of 70%.

=Principles of risk management=

The [[International Organization for Standardization]] (ISO) identifies the following principles of risk management. 

Risk management should:

* create [[value (economics)|value]] – resources expended to mitigate risk should be less than the consequence of inaction, or (as in [[value engineering]]), the gain should exceed the pain

* be an integral part of organizational processes

* be part of decision making process

* explicitly address uncertainty and assumptions

* be systematic and structured process

* be based on the best available information

* be tailorable

* take human factors into account

* be transparent and inclusive

* be dynamic, iterative and responsive to change

* be capable of continual improvement and enhancement

* be continually or periodically re-assessed

• Risk sources may be internal or external to the system that is the target of risk management (use mitigation instead of management since by its own definition risk deals with factors of decision-making that cannot be managed). Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.

http://en.wikipedia.org/wiki/Risk_management