One way to express risk is to divide it into internal and external groups. Internal risk is risk to your company's bottom line from forces that come from within -- disgruntled employees, money lost due to poor communication and other risks that come from employees interacting with one another. External risk, on the other hand, is risk that comes from outside your company -- negative public relations, a recession or anything else that comes from external forces.
One of the key parts of running a company is establishing precisely how you are going to manage these risks.
Establish precisely what risks your company faces, both internally and externally. This is not a single list of risks. Rather, it should be dynamic -- you should constantly be looking for risks that you need to manage, and documenting what these risks are.
Document risk management techniques in a clear, logical way. The technique should follow from the individual risk, and be clear. So, if you have identified the internal risk of employees printing emails instead of reading them on their screens, you should manage this risk with a policy that discourages printing. Cause and effect should be explicit.
Track what you are doing to manage risk, and whether these techniques are working. In addition, track what the effects of those risks are --- do they create new risks? Risk management is about understanding the consequences of your actions, and the best way to do this is with clear, applied data.
Identify employees with clear responsibilities for different areas of risk. Ensure that these employees' responsibility is documented to create a clear path for accountability. If a risk is not adequately managed, you will be able to quickly talk to the responsible party.
Make the risk management documents accessible to everyone who needs that information. Employees who make risky decisions should be able to quickly access the data that shows how that risk is being managed.