Every organization manages its risk,  but not always in a way that is visible, repeatable and consistently applied to support decision making. The task of Risk Management is to ensure that the organization makes cost-effective use of a risk process that has a series of well-defined steps. The aim is to support better decision making through a good understanding of risks and their likely impact.

There are two distinct phases: Risk Analysis and Risk Management. Risk analysis is concerned with gathering information about exposure to risk so that the organization can make appropriate decions and manage risk appropriately. Risk analysis involves the identification and assessment of the level of the risks calculated from the assessed values of assets and the assessed levels of threats to, and vulnerabilities of, thouse assets.

Risk Management involves having processes in place to monitor risks, access to reliable and up-to-date information about risks, the right balance of control in place to deal with those risks and decision-making processes supported by a framework of risk analysis and evaluations. Risk  Management also involves the identification selection and adoption of countermeasures justified by the identfied risks to assets in terms of their potential impact upon services if failure occurs, and the reduction of those risk to an accpetable level (ITIL V3)

ENISA is the European Network and Information Security Agency who acts as a Centre of Excellence and gives advises and reccomendations in the area of Information Security and Risk  Management. Here is the link of a very good overview of Risk Analysis and Risk  Managment Mehtods as develeoped by ENISA.

Please  click this link to run the ENISA-HTML Model.