Risk management principles can be found in ISO 31000:2009, Risk management – Principles and guidelines and its companion guides ISO Guide 73:2009, Risk management – Vocabulary with has a collection of definitions relevant to the management of risk. ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk.
Other documents with risk management principles include NIST SP 800-39, and NIST SP 800-30.
The principle of risk management center around looking at corporate risk. What is the risk to the bottom-line of the organization? Whether the bottom-line is money, reputation, a mission, or process. How will the organization address risk from the top down? Risk is addressed at every level of the organization from the very top to the bottom. NIST 800-39 breaks this all down in tiers.
To address the actual risk and organization must be able to predict the likelihood of a harmful event (threat) adversely affecting an asset vulnerability.
Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk
An organization uses a quantitative approach to analyzing and managing the risk to its resources. To do this, they must identify the threat, the asset, the vulnerability and countermeasures (security controls) of the asset. They must determine the level of impact that the organization would suffer if the harmful event occurs. To determine all this they must do risk assessments.