[SOUND] In order to begin the risk assessment phase, the organization uses the list of information assets it has identified and prioritizes assets and the threats facing them to compare information assets to threats. The resulting list of vulnerabilities are those that remain risks to the organization. This list should be created for each information asset to document its vulnerability to each possible or likely attack. The best way found to do this documentation is the threat vulnerability asset, or TVA, Table. As shown, it would list assets along the x-axis from most to least valuable and lists threats along the y-axis from most to least dangerous. At the intersection of the asset and threat pair, list the vulnerabilities that the threat might use to cause a loss to the asset. Now, we move onto assess the risk that exists in each of the TVA tables. Risk is commonly calculated as the likelihood that a threat to an asset will result in an adverse impact which is then multiplied by the consequences or impact of that attack. [INAUDIBLE] That value is then increased by an estimate of how reliable our values of both likelihood and impact are, known as a confidence interval. Many approaches to assessing likelihood exist. One example of some likelihood ratings on a scale of 0 to 5 is shown here. Likewise, there are many ways to assess impact. Here is an example of some impact ratings on a scale of zero to five. Before the organization can proceed with the final phase of risk management, activities, which is risk control, it needs to understand how much risk is acceptable to management. Some organizations have a very low tolerance for risk. Such as banking and other financial services firms. Other types of organization may tolerate more risk. The amount of risk that remains after all current levels are implemented is known as residual risk. Any organization may reach a point in the risk management process and find that the documented residual risk is low enough to accept being within the bounds of its risk appetite. They would end the current risk management cycle and document everything for the next cycle. Once the organization has assessed the current level of risk facing its information assets and defined its risk appetite, it can move to the final phase of risk management. [SOUND] And that's called Risk Control. In the Risk Control phase, organizations employ one or more of the five strategies of risk control. Defense, which is applying safeguards that eliminate or reduce the remaining uncontrolled risk. Transference, which is shifting risk to other areas or outside entities. Mitigation, which is reducing the impact to information assets should an attacker successful exploit a vulnerability. Acceptance. That's understanding the consequences of choosing to leave a risk uncontrolled and then formally accepting the risk that remains without an attempt at control. And the final is termination. And that's removing or discontinuing the information asset from the organization's operating environment all together. Risk management is an essential process for every organization. There are many formalized models for risk management in the marketplace, and many organizations are using consulting resources to assist them in finding the optimum means to reduce operational risk. [NOISE]