Which term is the process of identifying, evaluating and controlling threats, including the phases of risk context, risk assessment, risk treatment, and risk monitoring?

Risk management is the end-to-end process of identifying threats, evaluating their potential impact, and putting controls in place to reduce or manage those risks. It begins with establishing the context—defining the scope, stakeholders, and risk criteria. Then comes risk assessment, where threats and vulnerabilities are identified and the likelihood and impact are estimated to determine risk levels. Risk treatment follows, selecting how to respond—avoid, transfer, mitigate, or accept the risk—and implementing the chosen controls. Finally, risk monitoring keeps track of risk over time, re-evaluating as conditions change and ensuring controls remain effective. While policies, privacy frameworks, and regulations influence security, they do not describe this structured, ongoing process of identifying, evaluating, and controlling threats.