Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity. (Van Scoy, 1992)
Particularly in IT industry, every process is dependent on IT technology and all companies rely on IT assets in some or the other way. Be it data storage on the cloud or computer system, IT plays a very crucial role. Information Security has become very dominant because information is now more stored in digital environment which has both advantages and disadvantages with it. On one hand IT makes the task easier but just one switch off of a power button can be disastrous to the whole organisation if proper precautions have not been taken. So when these assets are so important then risk management becomes more important. Risk management is the total process used to identify, control, and minimize the impact of uncertain events. Risk management is made up of four distinct processes: risk analysis, risk assessment, risk mitigation, and vulnerability assessment and controls evaluation.