Risk is the ultimate four-letter word of business, investment and government. Entrepreneurs and political leaders understand as well as anyone that if nothing is ventured, nothing can be gained, and that therefore risk can never be entirely eliminated. Nonetheless, the effort to minimize, or at least manage risk, has become a major focus of most corporate entities, and it's standard practice for public companies to disclose their operating risks each quarter in their public filings.
Any effective risk management plan will begin with identifying potential risks, which may exist in many forms. Not only tangible assets like capital can be at risk, but intangible ones such as reputation and goodwill can be damaged, either through the course of normal operations or by some extraordinary circumstance. Once risk is identified, it must be assessed for its likelihood and the extent of damage possible. One common formula for assessing risk is the probability of the event (as a number less than one) multiplied by the cost of the event.
It's only after a risk has been identified and assessed that true risk management can be performed. These initial steps are therefore crucial, but do not themselves amount to risk management. Prioritizing risks so that each can receive the appropriate time and resources is as important as identifying and assessing risks. The ability to move from the initial stages to effective management can ultimately determine the effectiveness of a risk management plan. At the same time, assessments must be thorough and accurate for any further steps to be meaningful and efficient.
There are as many actual risk management techniques as there are types of businesses, but once a risk has been identified and assessed, most efforts at mitigating the risk fall into four basic categories regardless of the context. The first, avoidance, can be as simple as not engaging in activity that produces the risk, but this not only eliminates risk but potential benefits as well. Risk reduction through concrete steps is far more common, and the specifics will be related to the type of business and risk involved. Risk transference is also highly beneficial as when an available option; it involves outsourcing the problem to another entity such as through the purchase of insurance. Finally, risk retention is inevitable in some cases where the risks are either unlikely, or the costs of mitigating or transferring the risk are prohibitive.
Overestimating the importance of risk management is almost impossible. In the investment world, for example, it's more important to retain capital than to make profits -- or at least, profits can only be realized consistently if proper risk management prevents massive capital losses. Governments are also constantly engaged in risk management. Entire agencies are devoted to creating emergency reaction plans from first response to evacuation and government continuity. And, of course, legions of attorneys make a living assessing legal risk for both governments and corporations.
As they've been presented to the public, the invasion of Iraq and the U.S. Patriot Act are essentially risk management efforts. In 2008 the threat to America increased to include financial and economic collapse with dramatic changes in the relationship between government and business ensuing. Ironically, as risks mount, government risk managers tend to become less risk-tolerant and move their goals closer to total security and the elimination of all risk. When preserving institutions is the priority, individuals and liberties become liabilities and even threats. Corporate risk managers often have little choice but to follow suit.