WHEN ONE SETS OUT to systematically manage risk in a firm it helps to have a clear idea about what one means by ‘risk’, and what it is one hopes to achieve by its management. It also helps if this way of thinking about risk and risk management is widely shared by people across the organization, paving the way for a unified and enterprise‐wide mindset. In this chapter we review the foundations of risk management in firms. Despite the highly subjective nature of risk, to make progress we need to establish some ‘rock bottom’ tenets according to which we can operate.

Most people would agree with us when we say that risk has to do with the possibility of something bad happening. Bad is usually taken to mean a failure, accident, loss, damage, or something similarly negative. But there is also a sense in which risk is a very personal and subjective thing. What you think is bad may not be bad to me. If I plan to go to the beach tomorrow, a bad outcome would be if it rains by the time I arrive there. But to a person who is anxious to have his garden watered, a downpour could be a blessing. Risk, as it has been said, lies in the eye of the beholder, and consequently needs to be defined in each specific context. There is no off‐the‐shelf version that can be applied everywhere and by everyone.

The subjectivity of risk, or that each of us has our own perception of risk, is not an issue as long as we are talking about individuals. In a free society, each of us may have ...