Risk management is the process of identifying and assessing the risk, lowering it to a prescribed acceptable plane and then undertaking steps to maintain that level. No organisation can be made completely foolproof of risks and threats. However the skill lies in identifying and assessing the probability of their occurrence, the subsequent damage they could cause and mitigating these risks to an acceptable level identified by the organisation.
An organisation should be aware of its vulnerabilities and risks. Information security identifies some major categories of risks such as physical damage, human interface disrupting output, infrastructure malfunction, hacking attacks, misuse and loss of data, application blunders etc.
An organised approach towards risk management is required wherein threats need to be identified, classified and evaluated for their risk potential.