Risk Management

Risk Management is a business practice that protects physical, logical and human resources. Risk management is very often applied in banking and finance sectors, but all industries need a "risk management" function. Risks that need to be managed include losses from natural causes such as disasters or fires, accidents, lawsuits, etc. Risk is an issue which could impact your ability to meet your objectives.

Do you need the Risk Acceptance Forms? They can be found below.

What is risk? Expand

  • Verb: expose to a chance of loss or damage
  • Noun: a source of danger
  • Noun: a venture undertaken without regard to possible loss or injury
  • Verb: take a risk in the hope of a favorable outcome

Glossary of risk terms Expand

Acceptable Risk - A term used to describe the minimum acceptable risk that an organization is willing to take.

Countermeasure or Safeguards - Controls, processes, procedures, or security systems that help to mitigate potential risk.

Exposure - When an asset is vulnerable to damage or losses from a threat.

Exposure Factor - A value calculated by determining the percentage of loss to a specific asset because of a specific threat.

Residual Risk - The risk that remains after security controls and security countermeasures have been implemented.

Risk Management - The process of reducing risk to assets by identifying and eliminating threats through the deployment of security controls and security countermeasures.

Risk Analysis - The process of identifying the severity of potential risks, identifying vulnerabilities, and assigning a priority to each.This may be done in preparation for the implementation of security countermeasures designed to mitigate high-priority risks.

Criticality Matrix Expand

  Most Critical
Highest Level of Sensitivity
Moderate level of sensitivity
Least Critical
Very low, but still requiring some protection
Legal Requirements Protection of data is required by law (e.g., HIPAA and FERPA data elements and other personal identifying information protected by law) The institution has a contractual obligation to protect the data (e.g., bibliographic citation data, bulk licensed software)  
Reputation Risk
High Medium Low
Other Institutional Risks
Information that provides access to resources, physical or virtual Smaller subsets of Most Critical data from a school, large part of a school, or department  
Data Examples



Prospective student


Donor or prospect



Physical plant detail

Credit card numbers

Certain management information

Information resources with access to Most Critical data

Research detail or results that are not Most Critical

Library transactions (e.g., catalog, circulation, acquisitions)

Financial transactions that do not include Most Critical data (e.g., telephone billing)

Very small subsets of Most Critical data

Campus maps

Personal directory data (e.g., contact information)


Institutionally published public data

Risk Matrix Expand

To determine the degree of urgency attached to a given situation, refer to this table.

Image of the risk matrix

Risk Assessment Expand

The IT@UC Office of Information Security (OIS) will assist with Risk Assessment upon request.

Our Controlled Self-Assessment process will help you understand more about the risk profile of your organization. It helps internal business personnel evaluate informal or subjective controls in 62 important Information Security Areas.

Risk Acceptance Forms Expand

Risk Acceptance Policy

Please read “RAF Field Descriptions” document for help with completing a RAF form correctly

Please send to infosec@uc.edu to review prior to having your leadership sign the form.

Risk Acceptance Form (RAF) (PDF)

Risk Acceptance Form (RAF) (Word)

Risk acceptance forms should be filled out electronically and emailed to the IT@UC Office of Information Security.

To view PDF files, you will need Adobe Acrobat Reader, a free download.