Risk management is the process of understanding the risks to which an organization is subjected and then finding ways to mitigate or work with the identified risks. There are multiple ways to deal with risk, including the following:
- Alter operations so that certain risks are avoided. For example, unusually dangerous production work could be outsourced to a supplier.
- Retain risks when doing so makes business sense. For example, management could decide that keeping operations in a country where assets are subject to expropriation is an acceptable risk, because profits are so high.
- Transfer risk to a third party. For example, a company could purchase insurance, so that an insurance company takes on certain types of risks.
By engaging in risk management, an organization can lower the probability that the firm will be subjected to large and unexpected losses. This process can be taken too far or be misguided. For example, an oil exploration firm could spend too much time mitigating the risk of employees tripping on a drilling platform, while ignoring the much greater risk of a wellhead blowout that could cause massive environmental damage. Or, an overly active risk manager could bury a company under a massive number of risk mitigation policies and procedures, which interfere with its ability to conduct business on a daily basis. Consequently, risk management needs to be precisely targeted at specific high-loss targets, while paying less attention to lower-risk, low-loss issues.