Identify, assessing, and managing risks to an organization or part of an organization.
Differentiating risks (uncertain events that ‘matter’ in the sense that there is a loss) from threats (causes or sources that can trigger one or more risk events) and objectives to which losses occur as a consequence of risk events happening.
Scientifically valid methods to measure likelihoods and impacts, including the likelihoods of threats, the likelihoods of risk events given threats, the consequences of risk events on objectives, and the importance of objectives.
Identifying, evaluating, and allocating resources to controls to reduce risks by (1) reducing the likelihoods of threats, (2) reducing the likelihoods of risk events occurring given specific threats, and (3) mitigating the consequences of risk events on objectives.
Optimizing the allocation of scarce resources to controls to reduce both long term risks (expected risks) and short term risks (value at risk).