In order to assess and mitigate risk, a standard method should be used. As stated earlier in this chapter, there is no one single risk management methodology that is better than another. The methodology below is a composite of best practices from industry and government models, most notably the National Institute of Standards and Technology and the Information Systems Audit Control Association and ISO standard 17799.
The key to success is not the model but whether the model works for your business and whether you are able as the IT risk manager to articulate the business value of having a risk management methodology. A standard methodology that all business units use to assess risk will provide the key ingredient for a successful program. The following paragraphs discuss the risk management model as shown in Figure 3, and define and explain the steps in the process.