Things to consider in Risk Management

1. Risk Models - Always ideal to use the well established methods for risk analysis tasks rather than starting from scratch and preparing own risk models.
2. Risk Assessment - Should not be relating Risk Assessment with Audit. Audit role is to help company understand and implement security controls to determine where the controls failure will occur and/or where the breakdown in security controls will happen. But with Risk Assessment the focus is on checking that controls are in place to protect against the security threats by identifying risks to the organisation, its technology and its processes. The risk management role encompasses managing the risks associated with the use of information technology, to determine how to get most out of the investment in security controls and related processes. 
3. Cost/Loss Expectancy - Risk Management must also consider the Total Cost of Ownership (TCOR) - such like Insurance cost, Loss Cost, Annual Loss Expectancy, Administration cost, etc., 
4. Conflating Precision with Accuracy - It is not always possible to give exact numbers for risk assessment, vulnerabilities, incidents. Hence a range 60-90% can be considered as a probability. 
5. Risk Register - Document a list and rank all the risks/events that can go wrong in the risk register repository. Risk register should not overemphasise on esoteric risks, instead consider real world risks in the register and rate and prioritise on more threatening risks to the organisation and business. 
6. Risk Exception Management - when a risk identified fails to comply with organisation policy of risk management, deviate from standards practice for stipulated period of time, risk exception process is to be followed. It helps to clearly determine the areas of non compliance, timelines of impact, determine if there's risk of fines, penalties or malicious activity due to non-compliance. 
7. Risk Rating to assess the risks identified and classify them as low medium or high considering their probability, frequency and impact of the risk. 
8. Risk Intelligence program aims to identify potential risks that can help organisation recognise the challenges that could compromise their business. Provide a proactive approach to discover risks identify likelihood ad eliminate them. Help define a risk posture to provide a structure to the risks tailored to the organisation/business operations. It will be baselined on Threats, Controls, Assets and impacts (TCAI) and any changes to aforementioned will alter the risk posture. Also define and explain what makes a valid source of risk intelligence. Implement risk intelligence which will be capable to deal with new information/change that will induce changes to risk posture. 
9. Multiplying by ordinals - Just considering risks on an ordinal scale such like High, Medium, Low without considering the quantities represented by their value can lead to ineffective management and wrong utilisation of cost and resources in mitigation. If wee have high level risk and he probability is extremely low then emphasising on risk management with particular threat/risk is just a bad calculation. Doing risk management wrong is more worse than doing nothing at all!
10. ROSI - Return on Security Investments to clearly measure the return on investment in cyber security initiatives within organisation. It is difficult to quantify the benefits derived from the security initiatives for an organisation directly in monetary values. The measures will be in such type of the count of incidents prevented, attacks defended/blocked by the tools implemented, number of vulnerabilities patched, number of malwares removed or quarantined, Reduction in the number of risks over the time period, penalties and regulatory fines avoided, repetitional damage covered, response times, ability to minimise the loss/impact ad such.