In today’s business world there are many opportunities for small problems and mistakes to cause large problems for companies. There are also easy opportunities for criminals and competitors to steal material or information that would be devastating to the company. Whether it’s an outside or internal factor if it is missed it could cause the end for a company. These are some of the aspects that are assessed in risk management. In risk management plans need to be established with the four main stages, risk identification, risk assessment, risk response, and risk control, in order to protect the company.
The first stage of risk management is risk identification. During this stage, the manager must find and list all potential risks. These risks are then identified into two categories: project risks and general risks. Project risks are risks that are specific to a project or the short term goals, like increasing the profit for the holiday season. General risks are risks that affect all aspects of the company, like customers not buying the product. The most important and basic issue of risk identification is to ask the simple questions, "What could happen?", "How could it happen?", and "Why could it happen?", and as mentioned these risks can be internal or external (Reuvid, 2007). A good place to start gathering information is from other companies that have finished similar goals (Crouhy, Galai, & Robert, 2001). Since these companies have already finished similar goals a manager can expect close to the same results. Then, managers use that information to realize all of the risks that occurred and what risks the other companies avoided. That then translates over to their own list of identified risks. Without this step and knowing all of the possible risks the entire risk management process and the company would fail.
The next stage in risk management is risk assessment. For this step it is vital for the managers to identify the most valuable, least valuable, and riskiest goals for the company. Managers find what is important in the company, so they know what to protect or go after the most. All the risks that are identified in the first stage now need to be assessed based on the probability of occurrence and the severity of the outcome if it does happen, which is called qualitative risk analysis (Heldman, 2005).
Qualitative risk analysis is done through a risk matrix (Reuvid, 2007). Each risk is assigned a number from low to high for both the probability and the severity of the outcome. Risks with two low numbers would be put as a low risk, and risks that have a low impact, but high probability would be medium risks, since they have such a high chance of occurring and any kind of impact would be bothersome. Even though some risks have a low probability if their impact is high enough it could brutally hurt the company so they are categorized as high priority risks. The last category of risks is those with the highest probability and highest severity, which is called critical risks and is the most important category to protect against (Turbit, 2010). The third stage of risk management is risk response, which is designed to protect against the potential risks. Risk response puts the previous two stages into work. Risk response is deciding what actions to take based on each risk (Reuvid, 2007). During this stage the manager implements a strategy for each risk starting from those in the critical risks category all the way down to the low risks category. However, many times the low risks category will not even be looked at since they have such a low probability and impact (Heldman, 2005).
There are many strategies to risk response, but the most common are avoidance, transferring, minimizing the probability and impact, and accepting the risk (Turbit, 2010). Avoidance is just that, avoiding the risk completely. This is when managers already know what is going to happen, like from the information gathered from