This document discusses managing risks in information systems. It explains that identifying risks is challenging but treating them requires making changes and hard decisions. It's important to document the risk mitigation steps taken. The document also notes that appointing a single person to oversee risk treatment ensures corrective actions align with the risk mitigation plan. The purpose of a risk mitigation plan is to define ongoing procedures and processes to mitigate risks across seven domains of an IT infrastructure.