Steps for managing risk

Computerworld - Many companies regard risk management as a critical but challenging endeavor.
The challenge is usually the result of a misunderstanding between technology risk and business risk. The topic is further complicated when companies turn to governance frameworks as solutions rather than as models for organizing and communicating their risk postures. From Cobit (Control Objectives for Information and Related Technology) and COSO (Commission of Sponsoring Organizations) to ISO/IEC (International Standards Organization/International Electrotechnical Commission) 17799 and more, standards models are often inappropriately embraced as the key to managing risk.
While these standards models represent an effective baseline for risk governance, organizations often find that these guidelines provide only part of the risk management solution. Many companies harness the benefits of risk management by developing processes for identifying, defining and responding to risks.
Executing these processes entails identifying the current state of enterprise risk, defining the desired state of risk or risk tolerance, and taking steps to normalize risk from the current state to the desired state, or risk equilibrium. For maximum effectiveness, these efforts should be driven by a formal security assurance office within an organization. The leadership team should include individuals with expertise in technology, operations, business, finance, law and the organizational structure of the company.
Let's take a closer look at how this team should proceed.
Identification
Governance frameworks can be an effective tool for companies that want to identify their current state of risk and security maturity. In general, these frameworks can be effective in achieving this goal, but they typically don't provide an approach to define risk tolerance or risk response for the organization.
Identifying the current state of risk can be difficult, since few companies have a comprehensive understanding of their critical assets, threat vectors and security capabilities. One of the most challenging categories of critical assets for an organization to understand and define is information. It's important for organizations to classify their data as a step in identifying their current state of risk. Information classification is simply a way to organize assets so that when security countermeasures or a risk evaluation is applied, the analysis can be associated to all assets of the same level.
It's also important to consider every phase of information as it is used by the organization, its partners and its customers. The information life cycle consists of five phases: creation, transfer, storage, viewing and destruction.
Many of today's governance models can serve as a tool for defining areas of risk. The control areas and themes covered within each model can serve as