Last updated: April 29, 2026
The Mumbai NBFC’s risk register had 247 risks rated “High”. Half were five years old. None had named owners. None had quantified financial impact. The Chief Risk Officer asked the new CISO to “fix it” before the upcoming RBI inspection. Six weeks later, the register had 31 active risks, each owned, quantified, and with a treatment plan. This module covers practitioner-grade risk management — not the academic version.
What risk management actually is
Risk management is the discipline of (1) identifying things that could go wrong, (2) quantifying their likelihood and impact, (3) deciding what to do about each, and (4) tracking the decisions over time. The five risk treatment options:
- Avoid — don’t do the thing
- Mitigate — reduce likelihood or impact via controls
- Transfer — insurance, contractual
- Accept — explicitly accepted with documented sign-off
- Exploit — for opportunity-side risk (less common in cyber)
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.