Chapter One1. In your own words, what is risk management? Risk management is the process a company follows to define the organization's assets, threats, and vulnerabilities and design ways to protect them. According to Roper, the importance of risk management as a unique function for an organization is increasingly understood at higher levels of business management (Roper, 1999). Additionally, CEOs, COOs, and CFOs around the world know that every decision will have pros and cons that will carry some degree of risk (“Risk Management,” n.d.). According to the Best Practices website; “Effective risk management provides significant benefits to all organizations and enables them to maintain business profitability and organizational functioning.” The benefits of risk management will include: • Better basis for establishing strategy • Improved service delivery • Greater competitive advantage • Less time spent fighting fires and fewer unpleasant surprises • Increased likelihood of achieving Change initiatives • Closer internal focus on doing the right things correctly • More efficient use of resources • Reduced waste and fraud, and better value for money • Improved innovation • Better management of contingent and maintenance activities. There are several strategies and models available today to help companies execute risk management at the organizational level. The security professional is also responsible for learning the skills of a risk manager, which adds new levels to the position.2. Risk management is considered a systemic approach. What are the benefits of using a systems approach in the risk management process? The need for an organization to protect its assets is essential to its survival. A process “...... middle of paper ......tion. In the security field, there are many consultants and consulting companies that will provide this type of service. Even in organizations that have an internal security expert, periodic assessments by an external auditor are often recommended, but regardless of the source, periodic assessments should be carried out and, in return, the security manager must be prepared to use all available resources to create a proactive and reactive defense strategy. Since a variety of automated and non-automated methods are used, the security manager must stay abreast of known and emerging threats and countermeasures if he or she is to be prepared to protect the interests of the organization. Continuing education, research, and periodic risk assessments will all play a role in the success of a comprehensive set of information security measures and effective management practices..