Risk management in business attempts to forecast and so prevent the occurrence of undesirable events which may have a negative impact on a company. Although the traditional definition restricts risk management measures to prevention and mitigation of harm, by the early 21st century, management theory had identified both negative and positive aspects of risk. For example, the ISO Guide defines risk as the "effect of uncertainty on objectives," refraining from associating explicitly the phenomenon with either positive or negative aspects.
Risk management became widespread in businesses in the United States in the second half of the 20th century. Companies realized the need of risk management efforts following some wide-scale oil tanker accidents in the 1970s and a dramatic change in the banking sector since the 1980s. Globalization and dynamic processes in contemporary economy call for a holistic approach to risk management. For example, supply chains can cover thousands of miles and different countries, which pose a wide range of risks. Meanwhile, the strong interrelation between different risks does not allow the separate analysis and treatment of various threats.
Risks which threaten the viability of a product or service may include new rivals, adverse trends in commodity prices, currency rates, interest rates or economic growth. Risk management has also been expanded to include financial risks: interest rates, exchange rates and derivatives.
There are numerous informal methods of assessing risk. To adequately prevent risk, however, businesses should rely on formal approaches. One of the most common approaches to risk management in business is scenario analysis - a method which studies various possible future events. Other risk management approaches include operational risk management, financial risk management, credit risk management, currency risk management and project risk management.
Some methods define risk as a function of three variables - the probability of the occurrence of a threat; the probable availability of vulnerabilities; and the potential impact. Risk management rests on several stages - identification of risks, analysis, measures to reduce or eliminate exposure to loss.
Although risk management measures are to a larger extent available to big companies, small firms also need a risk management strategy. Small businesses are advised to get insurance against common types of losses - theft, fire, flood, employee injuries, product liability or environmental impairment. These losses can have a serious impact on the company's day-to-day operation.
Risk can emerge from both external and internal factors. External risks are related to competition, customer changes, contracts, relations with suppliers, regulation and culture. Internal risks are linked to intellectual capital, research and development and information systems. Some factors fall under the scope of both internal and external factors — supply chain, integration of mergers and acquisitions as well as products and services.
Apart from addressing identified risks, risk management has a positive effect on the company's overall business organization. It ensures the consistent and controlled operation of the company. Risk management techniques also improve decision-making, planning and prioritization. Furthermore, they contribute to the efficient use of capital and resources and protect and enhance assets.
The increasing importance of risk management in business has resulted in stronger awareness and demand for standardization of risk management practices at different organizations. Risk management in business is certified by standard ISO 31000, issued by the International Organization for Standardization (ISO). The standard seeks to provide risk management principles and measure their application in the corporate world. The ISO 31000 family includes ISO 31000:2009 Principles and Guidelines on Implementation, ISO/IEC 31010:2009 Risk Management — Risk-Assessment Techniques; and ISO Guide 73:2009 Risk Management - Vocabulary.