While “Be Prepared” might be the motto of the Boy Scouts of America, it ought to be the motto of … IT organizations all over the world, too. Mark Pimperton writes this article with a simple idea: have your risk classifications and processes in place well before you need them, and when you need them you'll be ready. It makes sense, but the truth is many organizations are blindsided by issues and risks they didn't consider, and they didn't consider them because no-one bothered to classify what could go wrong. Classifying risk goes hand-in-hand with assessing and mitigating risk, completing the three step process that should be established and understood for every project (and not just when you need it). Noting the need for IT Risk Managment, Pimperton writes: …businesses face many different types of risk, all of which should be actively managed. They include financial, personnel, facilities – and IT risks. Ideally your IT risks should be managed as part of a broader, organization-wide activity; there's not much point knowing how to restore data if you've nowhere to work or all your staff are sick. But here I concentrate on the approach we take to risk management with our IT systems and data. Larger organizations may have dedicated staff and different methods, but what we do has at least made us proactive and prompted us to make many changes. Pimperton goes on to provide several graphics to assist the understanding of different steps within a good risk management plan (including classifying, assessing, and mitigating), and concludes that an annual review of the risk management plan – along with how risks were addressed – helps build a successful plan and keep an already successful plan healthy. While this is very sound advice, how hard would it be to implememnt a risk management plan (or get buy in from executive managment) when there isn't currently a risk to address?