Two recent articles on CSOonline can help expand your knowledge of risk management:
How to determine your real risk appetite. So you've probably experienced or seen this before: You describe a risk to an executive. The executive shrugs, essentially. Later the risk comes home to roost, i.e. something bad happens. Now the executive appears to be completely surprised and initiates punitive action internally.
I think many organizations do a poor job of articulating how much risk, and what types of risk, they are willing to accept. This article by David Geer will help you formalize the understanding of risk appetite within your own company.
ERM: The basics. Speaking of appetite, if you're REALLY hungry for foundational risk management info, tuck in your napkin and get out the carving knife. This article condenses tons of elemental risk management topics into a great FAQ format.
If you already know:
- what ISO31000 is
- what TCOR stands for
- how risk management teams/departments/functions are commonly organized
- the connection and distinction between GRC and ERM
- which individuals in your company already hold the title of "risk manager", and what they do
then this article might be redundant for you.
But if you don't know all these things, and you're serious about doing real risk management (rather than just re-labeling your security department), then set aside an hour and dive in.