<a href=”http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1268743,00.html”>IT risk management</a> is a very different exercise than just managing and mitigating technology threats and vulnerabilities related to infrastructure. What’s often missing in discussions of risk is the business impact should a condition arise that affects (at a minimum) the confidentiality, integrity or availability of the business’ most important assets.
Most enterprises — regardless of size — have no reliable way of understanding how to prioritize their efforts and spending, as a measured result of managing risk, to an acceptable level based upon a transparent process. This is usually because they don’t have a transparent process for IT risk management.
Read more of this answer.</a>