Risk Management Moving Target
There is a question on Quora 'Is IT Risk Management a Moving Target?' which I answered there, but the principles relate to all organisations and projects.
The original question refers to ‘IT risk management’ suggesting something unique to IT; any exploration of risk management for IT will readily develop to include all stakeholders at all levels: the company, staff, employees, suppliers, the wider supply chain, influencers such as government and regulation, and the customers and their wider interests.
All risk management changes and needs to be reviewed regardless of perceived context. As with project management, IT should not be looked at in isolation. As an example, the threat of failure of any part of the use of IT affects companies, organisations, governments. At all levels people have to be able to see what the risks are and manage them.
If there is a failure through, eg, cybersecurity, malware, hacking, or simply a loose email containing a virus we might think of this as being IT but the risk can be managed by many people who are not part of the IT department, the risk can be seen by people outside IT, and most if not all of a company’s employees and much bigger set of stakeholders expect to be able to use IT at all times. Users change, their understanding changes, and anyone mght click on the wrong link.
So yes, risk management is a moving target.
Another answer by Rich Cohen provides a useful citation which you can find via Quora: https://www.quora.com/Is-IT-risk-management-a-moving-target?__nsrc__=4
Risk management continuously changes and all risk management processes and procedures need to be reviewed continuously.
For a review session, please contact me.