Risk Management within an organisation, project or strategy is the cost-effective systematic assessment, monitoring and control of existing, potential and possible impacts on the project that will impede its progress to completion.
 
Although Project Risk Management, for example, relates to the risks within a project; risks incurred within that project may also impact the host organisation and stakeholders beyond the scope of the project.
 
For example, a project that is meant to integrate into, say, the General Ledger, but instead corrupts the data in the General Ledger, will impact the entire organisation as well as suppliers and customers.
Risk Management therefore, is as much about 'inoculation' and 'prevention' as it is about 'avoidance' and 'mitigation'.
 
Risk Management is fundamentally about the management of uncertainty and prediction. Although most Risk Management focus is on managing potential negative impacts, uncertainty can also provide positive opportunities for a project and the organisation.
As an example, a new system or software or process may be made available during the life of a project that enables the project (and organisation) obtain greater benefit and/or functionality.
Furthermore, while a risk may be known, understood or certain, all its ramifications may not - particularly if the event is also likely to affect the organisation's external environment and external stakeholders.
 
Being able to think effectively in Risk Management terms, requires an ability to think of all the bad things that could happen or all the things that might go wrong.
 
Asking those sorts of questions won't make you popular with the person or people who are advocating for a change initiative (for example) to proceed (and who may understate some of the risks.)
 
In order for risk to be effectively managed, it requires:
 

• That all senior managers in the organisation and the Project Sponsor commit to managing the identified risks.
• That all stakeholders within and external to the organisation commit to work together to manage mutually-impacting risks.
• That all stakeholders are engaged through effective communications and involvement throughout the risk management process.
• That suitable risk management plans and processes are established, approved and implemented.
• That approved risk management plans are complied with.
• That each risk is assigned to a suitable person, group, function or department as part of their responsibilities and held accountable for its monitoring and management.
• That risks are continuously managed throughout the project, and where relevant, beyond it.

It is self-evident that most managers are not suitably equipped to undertake these steps effectively. Not only are managers ill-equipped, but so are directors.

Generally, both of these communities are transfixed by the known and the existing, and ignorant of or actively avoid the unknown or the vague. They have a vested interest in the status quo and avoid periods of change and transformation - often until it is too late.