Learning from risk is the sixth and last step in the Microsoft Operations Framework (MOF) Risk Management Discipline and adds a strategic, enterprise, or organizational perspective to risk management activities. Risk learning should be a continuous activity throughout the entire risk management process and may begin at any time. It focuses on three key objectives:

• Providing quality assurance on the current risk management activities so that the IT operations group can gain regular feedback.
  
• Capturing knowledge and best practices, especially around risk identification and successful mitigation strategies-this contributes to the risk knowledge base.
  
• Improving the risk management process by capturing feedback from the organization.
  

Risk classification is a powerful means for ensuring that lessons learned from previous experience are made available to the groups performing future risk assessments. The following two key aspects of learning are often recorded using risk classifications:

• New risks - If IT operations encounters an issue that had not been identified earlier as a risk, it should review whether any signs (leading indicators) could have helped to predict the risk. You may need to update the existing risk lists to help identify risks in the future. Alternatively, you might have identified a new operational risk that should be added to the existing risk knowledge base.
  
• Mitigation strategies - The other key learning point is to capture experiences of strategies that have been used successfully (or even unsuccessfully) to mitigate risks. Use of a standard risk classification provides a meaningful way to group related risks so that operations can easily find details of risk management strategies that have been successful in the past.
  

The best practices described below will be beneficial during the learning from risk step.

The risk review process should be well managed to ensure all learning is captured. Operations management reviews (OMRs) as well as specific risk review meetings provide a forum for learning from risk. They should be held on a regular basis and, like other reviews, will benefit from advance planning, development of a clear, published agenda, participation by all participants, and free, honest communication in a "blame-free" environment.

The risk knowledge base is a formal or informal mechanism by which an organization captures learning to assist in future risk management. Without some form of knowledge base, an organization may have difficulty adopting a proactive approach to risk management. The risk knowledge base differs from the risk management database, which stores and tracks individual risk items, plans, and status for a specific service.