All businesses face risks from a variety of sources, both internal and external. The two primary means of managing risk are risk mitigation and contingency planning. Risk mitigation focuses on minimizing risks once they arise, while contingency planning refers to having an alternative course of action planned once a risk surfaces -- in other words, having a plan B.
Risk mitigation is a form of damage control. While the focus of risk mitigation is on actions to be taken after the risk become apparent, a company's risk mitigation strategies should be planned out in advance, put into writing and made known to the key people within the organization.
Contingency planning is having a back-up plan in the event that a risk arises and undoes an assumption upon which the original plan was based. For example, a company might assume that a new product it is developing will face no serious competition for five years. If a strong competitor emerges after only a few months, the company may need to pursue a new strategy, focusing more on competitive positioning than on growing the market for its product.
A key aspect of both risk mitigation and contingency planning is the ability to identify potential risks before they arise and plan mitigation or contingency strategies. One popular way of identifying risks is to think about the assumptions underlying a company's business plan or model and ask what would happen if those assumptions turned out to be false.
In addition to identifying potential risks, a company must prioritize its mitigation and contingency planning efforts on the most significant risks. A common technique is to list all the possible risks and place them in a two-by-two matrix, with the vertical axis representing the seriousness of the risk and the horizontal axis representing the likelihood of the risk. The risks in the upper right quadrant -- the most serious and most likely -- should be addressed first.