Once the risks associated with a project have been identified, the next critical step is to decide whether to accept and assume the risk, if it is judged tolerable, or to mitigate it (reduce or limit the risk). Risk management measures are intended to mitigate risk. Risk management is the responsibility of everybody in the organization.
The purpose of risk management is to choose technically sound, integrated actions to reduce risk after consideration of the costs of each increment of risk reduction, including environmental, social, cultural, ethical, political, and legal costs. The Corps defines risk management as: "The process of problem finding and initiating action to identify, evaluate, select, implement, monitor and modify actions taken to alter levels of risk as compared to taking no action."
Similar to risk assessment, at its most basic level risk management should answer the following questions:
- What is the problem?
- What questions do we want risk assessment to answer?
- What can be done to reduce the impact of the risk?
- What can be done to reduce the likelihood of the risk occurring?
- What are the trade-offs among various options for addressing the risk?
- What are the best options for addressing the risk?
- Is it working?