All firms face a variety of risks. Scandals such as Enron, WorldCom, Tyco, and Adelphia and tragic events such as 9/11 have reinforced the need of companies to manage risk. Moreover, risk management should not be placed at the end of the agenda for a board meeting as “other business,” but be a key agenda item that is discussed regularly at board meetings. In practice, the board can provide only oversight and direction. The responsibility of risk management is often delegated to either (1) the audit, finance, or compliance committee of the company’s board of directors; or (2) a risk management officer (typically called the chief risk officer) or a risk management group headed by a risk management officer. Regardless of the structure, to assure effective performance of the risk management process, the committee or group responsible for risk management should have regular interaction with the chief financial officer, internal auditors, general counsel, and managers of business units.

There is no shortage of definitions for risk. In everyday parlance, risk is often viewed as something that is negative. But we know that some risks lead to economic gains while ...