ISO/IEC 16085:2004 Information technology – Software life cycle processes – Risk management
Risks can be measured, but only if the process for risk management has been defined. Since the purpose of risk management is to identify and mitigate risks continuously, successful risk management means that this process is planned, status is kept current on an ongoing basis, progress is monitored against objectives, impacts are continuously measured and analysed, and when changes are made, the process restarts over again.