From the 2021 IBM’s report, cyber-resilience for small organisations includes:

Investing in training and education for employees

Outsourcing the cybersecurity function to external providers

Increasing the complexity of internal monitoring procedures

According to ISO standards, a risk management cycle is as follows:

risk reporting > monitoring > communication

risk identification > analysis > evaluation

risk assessment > evaluation > treatment

Risk evaluation allows to:

Recognize and describe the source of the risk

Support strategic decision making

Comprehend the nature of the risk

Quality assurance applies to:

people

both

processes

A summative evaluation:

is a benchmark evaluation between expectations, performance standards and actual achievements

is intended to rank the likelihood and impact of a given risk

is a standard monitoring process implemented before financial reporting