There are various Risk Management Models around, some of them discussed here:
General Risk Management Model:
This five step general risk management model can be used in virtually any risk management process:
Step 1: Asset Identification
Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats.Step 2: Threat Assessment
After identifying assets, you identify both the threats and the vulnerabilities associated with each assets and the likelihood of their occurrence. All things have vulnerabilities; one of the key is to examine exploitable vulnerabilities. To list: CWE (from mitre.org), SANS Top 25 list, OWASP Top 10 list..Step 3: Impact Determination and Quantification:
An impact is the loss created when a threat is realized and exploits a vulnerability. Tangible impact results in financial loss or physical damage. An intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult.Step 4: Control Design and Evaluation:
Determine the controls (also called countermeasure or safeguards) to put in place to mitigate risks. List of software control can be found in NIST SP 800-53
Step 5: Residual Risk Management:
A risk that remains after implementing controls is termed as residual risk. Multiple controls can be applied to achieve better defense posture through defense in depth.