This is a process of preparing, identifying risks, mitigating them and regularly review the risks. Hence, this is a continuous process that requires regular review.
Two well-known framework assist here:
- STRIDE (Spoofing, Tampering, Repudiation, Informaton Message disclosure, Denial of Service & Elevation of Privilege)
Risk must be classified on the scale of risk of occuring and impact (either financial or non-financial). Based on this, risk can be categorized and mitigation efforts can be implemented starting with the risk that have a high chance of occurance and large impact.