Risk is about analysing questions and taking action in areas such as: What is the likelihood that something might (or might not) happen and what damage would follow if it did (or did not) happen? What is the risk of things going wrong relative to the return of things going right? What is the risk relative to possible return or reward? Risk management is planning for the possible, foreseeable and unforeseeable. A basic corporate-level risk management overview would be to, say: categorise all possible corporate risk exposure by the likelihood of occurrence and the financial impact on the business; select the top 5 risks which are most important to the business; review quarterly what the business is doing to mitigate those risks in particular whilst keeping a watching brief on other identified risks. Risk management should be an ongoing process of regularly monitoring, review and reporting changes in ongoing risks and identification and control of new risks. Classical risk management tactics include: Tolerate . Accept the risk without any further action than monitoring. For example where it is not cost-effective or simply not possible to do anything else. Treat . Improve responses to the risk to reduce the chance of it happening or reduce damage if it does occur eg automatic sprinklers. preventive controls eg authorised access limitations, corrective controls eg tighten credit control, directive controls eg health and safety compliance, ...