Risk management is a function of an organisation consequently a risk management mission, strategies and objectives have to be developed within the organisation’s overall mission and strategy. The risk manager should be involved in overall strategy making as well as provide one for his or her own function. Like all strategies it should be aimed at the achievement of the overall mission of the firm.

As the risk manager’s tasks will substantially affect the other functions this would have to be done in conjunction with the other functionaries. For example the risk management’s responsibility for safety could affect production management. Safety requirements could impede the fulfilment of production quotas that could put risk management and production management in conflict. If the two functionaries liase and obtain agreement on their strategies it will be easier to fulfil them when the time comes.

One of the main tasks of risk management is to identify the risks faced by the organisation. There are a number of techniques that can be used to achieve this task. Fire prevention, safety, financial and auditing theory are well developed but have not been brought together. In addition risks such as business risk have not merited attention. Methods of identification of risk will be discussed in the forthcoming chapters. Although it is the aim of risk management to identify all risks this is not always possible, as some dangers will remain unforeseen. At the centre of the idea of risk is uncertainty and unexpectedness.

It could also be argued that individuals would not wish to identify all risks as this could reduce some of the excitement experienced by uncertainty. The sport of sailing and skiing are enjoyed by many because of the uncertainty involved. Despite this it is the aim of risk management to identify as many risks as possible, certainly the more important ones that are likely to affect the individual or organisation.

People understand risks differently depending on some of the factors discussed in chapter one. This means that the employees within the organisation should be involved in risk identification rather than relying on engineers or other experts, as has been the practice in the past. Employees working in various capacities will have seen things going wrong that experts could not foresee. Therefore their knowledge and experience should be drawn upon during the process of identifying risk.

Identification of risk is a continual process and should be carried out by all employees. Means of learning from mistakes should be instituted and records kept of all losses, accidents, incidents, near misses and other factors which occur which detracted, or had the capacity to detract, the organisation from achieving its objectives, no matter how slightly. From this documentation a deeper understanding of the risks faced by the organisation can be achieved.

Management has to make decisions on what steps to take to control risk following its identification. There may be a large number of risks identified consequently there is a dilemma as to which should be dealt with first. In order to make this decision the risks that have been identified will have to be prioritised. This is achieved by evaluating each risk. This task should be carried out with the assistance of the individuals facing the risk so that agreement can be reached as to its importance. In this way implementation of any plan to deal with the dangers can be carried out with the consent of those concerned. Although identification and evaluation are two separate parts of the process they may well occur at the same time. As the risks are identified and the consequences developed the impact can be measured.

Risks are continually changing and new ones being added so that, like the identification of risk, evaluation is a continuous process. Strategies for evaluating risk will be discussed in more detail in forthcoming chapters.

Once risks have been identified and evaluated they have to be controlled. This can be divided into two sections, physical and financial control. The former involves taking physical action to prevent losses occurring or to reduce the likelihood of a loss. At this stage plans should also be developed to limit the consequences of an event. For example a disaster plan should be in place to deal with the media following an incident whereby a product causes injury or is suspected of being faulty. Another example is in the area of fire control where fire extinguishers are provided or sprinklers are installed.

Risk control can be considered from the standpoint of both the frequency and severity of risk. Frequency refers to how often a particular event leading to an unwanted consequence can occur whilst severity refers to the extent of the damage arising from the event. This leads to the conclusion that risk control can be sub-divided into three areas. Firstly avoidance of the risk, that is to say not entering into the risky situation at all. Don’t sell the product, don’t get out of bed in the morning. Avoiding the risk means that there is no possibility of a particular event occurring, it is aimed at both the frequency and the severity together. Secondly one can prevent the risk, that is to say take steps to limit the occurrence of the event.

In this case the risky operation is commenced but steps are taken to ensure that, for example, the product is not faulty or someone is not injured. The aim of preventing the risk is to limit the frequency of losses, that is the number of times a particular event can occur. Guarding machinery or legislation making driving under the influence of alcohol illegal, and enforcing that legislation, are examples of the prevention of risk. Thirdly, the risk may be reduced. Uncertain events may still occur but their consequences are controlled. For example sprinklers could be installed in a factory to reduce the spread of fire or the quality of products are improved so that a smaller percentage of faults are acceptable. Steps taken to reduce the risk are aimed at the severity of the uncertain event. Physical risk control involves both pre and post loss action. The salvaging of damaged materials or the investigation of an event are both examples of post-loss risk control. Post-loss risk control is aimed at reducing the severity of the loss.

The aim of financial risk control is to ensure that cash is available in the event of something going wrong. In the case of pure risk the traditional method has been to purchase insurance but this approach has been changing with self-financing becoming more acceptable than in the past. The providing of finance in the event of a loss occurring is required for all risks in addition to insurable risks. For example cash may be required to recall a defective product or provide advertising in the event of adverse publicity following an incident such as glass being found in baby food or chickens being fed on a poisonous substance as was discovered in Belgium in 1999. In all cases a formal strategy should be in place so that immediately something does go wrong finances are available to deal with the incident.

Traditionally insurance has been the technology that has been used for financing risk but the insurance market has failed to deal with the increasing concern that business is expressing about risk and has not been able to fulfil organisational requirements. This is due to the fact that insurers are unable to insure outside the traditional market either due to a lack of capital or because the new risks are seen as being business risks to be faced by the owners of a concern. This has led to new devices being developed to deal with risk.

For example bonds have been provided to provide finance in he event of an earthquake or a severe storm. Financial risk management has dealt with the problem of spreading the risks of investments or currency exchange using various devices such as puts and options. Physical and financial risk control will be dealt with in later chapters when some of the new innovations will be considered.