management on the status of the project and the effect on the
            risk profile of the organization.



            Risk Monitoring
            No control will work forever, no control is 100% effective, and
            no risk will remain the same indefinitely. Therefore the final
            phase of risk management is the ongoing monitoring of risk.
            Regular risk assessments, reporting to management, scheduling
            of implementation of new risk mitigation efforts, and evaluation
            of the effectiveness of the controls are all part of the risk
            monitoring effort.

            The frequency of risk assessments and reporting are often
            mandated by law (FISMA in the USA requires annual reporting
            to Congress), policy, or industry standards (PCI-DSS requires a
            penetration test every quarter.) Many factors can affect the risk
            profile of the organization, including emerging threats, newly
            discovered vulnerabilities, political changes, supply chain
            failures, natural events, changing markets, and aging of
            equipment.

            All of these should trigger a review of the risk and a report on
            any changes to the risk levels facing the organization. Other
            factors that affect risk can be significant changes to an
            application, hardware upgrades, or changes in the user
            community. For this reason, risk monitoring must be integrated
            into the change management process. To determine if the
            change will affect the overall risk, the effectiveness of controls,
            or possibly of violating regulatory requirements.