Responses to risks and the experience gained provide keys to learning. A formal and documented evaluation of a risk episode provides the basis for lessons learned and lays the foundation for identifying best practices. This evaluation should consider the entire risk management process from planning through evaluation. It should focus on the following questions:
1. How did we do it?
2. What can we do better next time?
3. What lessons did we learn?
4. What best practices can be incorporated into the risk management process?
The risk planning process is cyclical because the evaluation of the risk responses and the risk planning process can influence how an organization will plan, prepare, and commit to IT risk management