A holistic risk management strategy implementation should address the following components: (1) Threat assessment, both capability and intent; (2) Vulnerability assessment; (3) Consequence assessment; (4) Mitigation options (cost/benefit) analysis; and (5) Mitigation implementation. The Risk Management process involves Risk Assessment (the combination of the first three risk elements - threat, vulnerability, and consequence) and Risk Mitigation (development and analysis of mitigation options and implementation of the preferred options). The first three risk elements are strongly interdependent for malevolent threats and must be considered collectively. The success of the Risk Assessment process depends strongly upon good planning, a screening process based upon a preliminary analysis of consequences, and the development of a good baseline description (from which the mitigation options can be developed). The output of the Risk Assessment provides the degree of risk that is to be managed. Various mitigation options can then be analyzed in a holistic context that considers other operational parameters such as life-cycle cost, operational impact, safety, policy, public opinion, and personal freedoms. These options provide input to the next round of risk assessments that result in risk/operational pairs. For each option there is a reduction in risk and an associated operational cost - a real cost (e.g., life-cycle security, productivity, safety), and a virtual cost (e.g., public opinion, loss of personal freedoms). Only then does the decision-maker have the necessary data to determine which risks should be mitigated and which risks should be accepted. Furthermore, all involved in the process must understand the perishability of any risk assessment. With time, all factors can change: the threat may become more or less capable or threatening; vulnerabilities can become more pronounced or less so ) because of the implementation of mitigation options, or lack thereof); and consequences may be higher or lower depending on intervening developments involving the asset in question or related assets that may or may not be robust substitutes should something happen to the asset in question. As such, commitment to a risk management strategy also carries a commitment to a continuing process. (DOD Defense Science Board, Report of the DSB Task Force on CHIP, 2007, p. 15)