Information security risks may arise from the following:
- human error
- gaps in or non-compliance with the instructions provided to the personnel
- theft or vandalism
- flaws and malfunctions of equipment, systems or software
- malware spread
- destruction of data
- fire or water damage
- errors and neglect on the part of a subcontractor or a member of a partner network.
Risk management is a process that aims at identifying risks, reducing their likelihood and/or impact to an acceptable level and maintaining the achieved level. The purpose of risk management is to protect the organisation and its ability to perform its operations, taking into account economic factors.
The objective of risk management requirements is to ensure that a domain name registrar is aware of the consequences of a potential realisation of the risks and knows whether the risk-mitigating measures are adequate.
The objectives of risk management include:
- speeding up recovery after information security incidents
- reducing the costs and damage caused by information security incidents
- helping in allocating investments that improve the information security of domain name registration operations
- improving the quality and productivity of domain name registration operations
- optimising, in terms of finances, the management of risks related to domain name registration operations and preventing the realisation of risks.
Examples of standards and publications in which risk management has been discussed include the following:
- ISO/IEC 27005 
- NIST 800- 30 Risk Management Guide 
- OCTAVE .
FICORA does not set any obligation to comply with a particular standard. Risk management models vary from company to company, and there is no single model that would suit every purpose.
FICORA requires a domain name registrar to identify the risks related to its operations and their continuity and how to address such risks. Addressing the risks means that the domain name registrar determines an acceptable risk level to its operations and takes appropriate measures (often called controls) to reach this level. This means that practical risk management requires the determination of responsibilities and schedules. In addition, the implementation and impact of risk management measures should be monitored.
FICORA also requires that the risk management is regular, i.e. that risks and the measures to manage them are evaluated on a regular basis. A domain name registrar is free to determine the appropriate monitoring cycles. Typically companies run risk management
- regularly on an annual basis
- whenever new services or functions are being established
- every time after a potential risk is realised.
FICORA supervises domain name registrars’ operations and the registrars must document their established risk management process and results to monitor the compliance with the risk management requirements.