Identification
Risk Response
and Mitigation
Context Establishment
Risk Assessment
Risk Evaluation
Risk Treatment
Identify Assets
Identify Threats
Identify Existing
Controls
Identify Vulnerabilities
Behavior
Towards
Taking Risk
Risk
Learning Culture Compliance
Culture Behavior Behavior
Towards Towards
Negatives Policy
Blaming Non-
Culture Outcomes Compliance Compliance
Effective IT Risk
Communication
Status:
Capability:
Risk Profile,
Risk Management
Key Risk Indicators,
Process Maturity
Loss Data, etc.
Enterprise Strategy
Senior Management
Strategic Plans
Risk Guidance
Business Operations
and Processes Risk Monitoring