Risk management is activity directed towards the assessing, mitigating (to an acceptable level) and monitoring of risks. In some cases the acceptable risk may be near zero. Risks can come from accidents, natural causes and disasters as well as deliberate attacks from an adversary.

In businesses, risk management entails organized activity to manage uncertainty and threats and involves people following procedures and using tools in order to ensure conformance with risk-management policies.

Risk management is also used in the public sector to identify and mitigate risk to critical infrastructure. For the most part, these methodologies consist of the following elements, performed, more or less, in the following order.

• identify assets and identify which are most critical
• identify, characterize, and assess threats
• assess the vulnerability of critical assets to specific threats
• determine the risk (i.e. the expected consequences of specific types of attacks on specific assets)
• identify ways to reduce those risks
• prioritize risk reduction measures based on a strategy

The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

Some traditional risk management programs (e.g., health risk assessment) are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial risk management, on the other hand, focuses on risks that can be managed using traded financial instruments.