Woah there cowboy; you aren’t just mis-interpreting Alex, Mike, Chris and Arthur. You clearly have no idea what Risk Management is. Maybe your sorry exposure to risk management is some sick bastard of forms, and engagement strategies and twisted methodologies - there are companies that are fundamentally selling crap and calling it risk management - so I don’t blame you. I really believe that you have no idea the difference between risk management and “it security” there is one HUGE difference in my opinion. That is critical thinking - “IT Security” is bullshit checklists and crap like “best practices” seriously bad - things like Secure Email and IDS systems come from “IT Security” anything that resembles risk management would completely recognize as useless; whereas best practices classify those controls as “exceptional” and “nice to have if you can afford it”
clearly those “exceptional” controls are diminishing returns types of controls. Most non risk-management folks declare technologies like that outside of their current budgets because they (although they won’t admit it) are doing sub-conscious risk management. There are so few cases where “Secure Email” is reducing loss events it makes me sick to think that there is more than a few companies offering it - let alone a gadzillion companies claiming it’s a “best practice”.

Anyone that is doing “Risk Management” isn’t performing some fancy dance of bureaucracy, or following some super extended pack of “best practices” and acknowledging some risk tolerance - they are exhibiting critical thinking. Something that you clearly are not accounting for; critical thinking must not be something you have heard of.

>>Something else you quote clears up the air around this:
Many of the fundamental information sources that organizations are turning to today give no prescriptive guidance at all on risk management. The information security drivers don’t help much either. By way of example, the PCI audit procedures recommend that reviewers “Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment.” FFIEC guidance for financial institutions desires a “multidisciplinary and knowledge-based approach” that identifies “all reasonably foreseeable threats.” This gives organizations no guidance at all and, after they have caused problems, all threats are reasonably foreseeable.

Although PCI is a prescriptive approach to security (THALL SHALT ENCRYPT DATA AT REST - REGARDLESS IF YOU ARE PROVIDING PROTECTION AGAINST LOSS EVENTS!) the requirement for a “risk assessment” as well as what FFIEC guidance is requesting is just a silly word for “Scan all of your servers and determine the impact of any vulnerabilities” which has nothing to do with risk management.

I am fortunate enough to have done a lot of security in my day - I have written policy for F100, State and federal governments, performed pentests for everything from some dink mfg co. to stuff that is so classified that I can’t even mention what world government paid for it. The truth is that Risk Management is a definition that exists out there - I think that you acknowledge that - My only beef is that you might have been narrowly exposed to something that someone called risk management but it really was just marketing or something worse - regardless it didn’t involve critical thinking.