According to , page 7-8, one of the roles of risk management in the strategic planning process is to identify threats and opportunities that could affect the organization’s objectives and performance.

Risk management can be used in varied and complex settings 2 . Risk management can help organizations deal with uncertainty and complexity in any type of activity, industry, or sector.

Full accountability for risk controls and treatment and decision making involves risk are two of the enhanced risk management attributes according to ISO 31000:2009 1 . These attributes indicate that risk management is integrated into governance and decision-making processes.

  Risk treatment is the risk process step to manage, control, or remediate risk 1 . Risk treatment involves selecting and implementing options to modify or control risks.

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation,  https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c),  https://www.iso.org/standard/54534.html

 ISO uses the concept of uncertainty as the driver and rationale for risk management. Uncertainty refers to the state of having incomplete knowledge or understanding about something that can affect an organization’s objectives.

A risk management professional advises management on the status of key risks by providing insights into the changing characteristics of a risk 3 . This helps to monitor and review the effectiveness of risk management activities and communicate any changes in risk levels or priorities.

According to  3 , page 6, one of the current trends in auditing, risk management and compliance is “moving from a back-office function providing lagging indicators about risk (e.g., audit findings) to a front-office function providing leading indicators about risk (e.g., key risk indicators)”.

Integrated and customized are two of the nine risk management principles in ISO 31000:2018 1 . Integrated means that risk management is an integral part of all organizational activities. Customized means that risk management is aligned with the organization’s external and internal context and risk profile.

 According to ISO31000 (2018), clause 4., one of the principles of effective risk management is “taking human and cultural factors into account”. This means that risk management should consider how people’s behaviors, perceptions, values and attitudes influence or are influenced by risk .