From the 2021 IBM’s report, cyber-resilience for small organisations includes:

Investing in training and education for employees

Outsourcing the cybersecurity function to external providers

Increasing the complexity of internal monitoring procedures

According to ISO standards, a risk management cycle is as follows:

risk reporting > monitoring > communication

risk assessment > evaluation > treatment

risk identification > analysis > evaluation

Risk evaluation allows to:

Support strategic decision making

Recognize and describe the source of the risk

Comprehend the nature of the risk

Quality assurance applies to:

both

processes

people

A summative evaluation:

is a standard monitoring process implemented before financial reporting

is intended to rank the likelihood and impact of a given risk

is a benchmark evaluation between expectations, performance standards and actual achievements