As architect we all constantly have to evaluate risk, but our risk assessment is mainly based on the awareness and worries on risk. So when we are worried we use extra safe seatbelt, preach on using condoms, install manual theft protection and highlight ant security concern to everyone. On the other hand when relaxing and carefreeness is the state we are in we are willing to take more risks, as well as reduce any risk assessment to near zero. Now you may think that it is best to get risk assessments only from the first group, but that is where the zero risk bias gets in by which certain risks are prioritised over others. An example is that the ware on terrorism will always be weighted higher even if the real risks are small compared to something like traffic accidents or gun violence.
The reason here is that all worried people usually like to get a horrific response when they talk about the subject and terrorism just produces so much more emotions. The same is true if you can construct a case between your current pet project and child abuse it will work much better then a sensible assessment focussing on business value loss. Additionally no one will argue against the risk in itself just on the likelihood. However if the consequence as such is seen as repulsive enough people will waive likelihoods as no executive will ever want to explain why he has not done everything to avoid such a horrific thing to happen.
So are risks only handled in an objective matter as long as they are emotionally neutral. However given that risk avoidance is an area with a finite budget there is usually very little left for the objective risks as a lot is spent on the more emotional headlines. So for a long time people dealing with mitigation of risk problems have stressed the emotional rather than the objective risks. However this again has lead to the wrong handling of risk as the real risk was often excepted focussing on the imaginary risks. Therefore the from of risk management is usually to set aside a certain budget in any undertaking addressing some risks and stressing to all involved that there is nothing like a risk free action or product.
So the risk management is one that starts before a project is kicked of to find out if the projected business case has the potential to cover the risk mitigation before investment. The risks that are taken into account are those likely to destroy the business case and those that will have a maximum media impact. The media impact is constantly revised as the public is getting used to privacy breaches and information leakage. All the revelations of the Snowden affair have also dumbed the public in many other areas so that what once was seen as a embarrassing incident will not really get any headline anymore.
To be worth making a risk an embarrassment usually some death, child abuse or some horrific scenario of loss of control (such as just demonstrated with cars or guns) needs to be involved. All this will also change the risk mitigation market such as security as a simple backdoor or the loss of credit card details will no longer justify for risk mitigation.