Quiz Entry - updated: 2026.05.31
Why is risk management called an iterative process rather than a one-time project?
Both the inside and outside of the organisation keep changing — so any "tailored" risk picture is out of date the moment you publish it.
Drivers of change:
- Von Innen (internal) — the business itself evolves: new products, M&A, new IT stacks, staff turnover, new vendors. Every change is a new asset, a new exposure, a possibly new threat.
- Von Aussen (external) — the threat landscape shifts: new malware families, new attacker tooling (AI-assisted phishing, deepfakes), new regulations (NIS2, DORA, EU AI Act), new vulnerabilities (Log4Shell-class events).
Practical implication:
- Annual full re-assessment is the floor — for high-velocity orgs, quarterly is better.
- Triggered re-assessment for major events: an acquisition, a new product launch, a published zero-day in something you use.
- Continuous monitoring of "Indicators of Occurrence" lets you spot specific risks becoming more likely without redoing the whole exercise.
Tip: The ISO 31000 picture has Communication & Consultation on one side and Monitoring & Review on the other for exactly this reason — both bracket the whole cycle, running continuously.