Risk Management 101 : A Risk Management Guide for Information Security
The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets.
Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.