The risk management literature often adopts a stages model from the project management and decision theory literature. A typical set of steps is given below:
1. Identify the source of the risk exposure.
2. Quantify and/or assess the exposure.
3. Assess the impact of the exposure on the firm’s business and financial strategy. Determine the degree of risk adjustment required against predetermined criteria. This often takes the form of a cost–benefit analysis.
4. Assess the firm’s capabilities, competencies and/or capacity to undertake its own hedging and insurance programme.
5. Select the appropriate risk management product and mix. This will typically include both operational hedging and the use of external risk management products such as insurance contracts, derivatives and risk pooling.
6. Keep the risk management process under review.
In their discussion of how financial risk exposure can be applied in practice, Bauman et al. (1994) also provide a logical series of steps, together with the required analysis, policy formulation and operational procedures that are required in order to properly manage and control the ongoing risks in the firm. This generic model, with its five steps, is shown in Figure 1.19. In their approach, the formulation and execution of the risk management strategy is deemed to be simultaneously taking place at different levels within the firm, within different functions and business units, and also over time.
The dynamic element leads to a continual process of review and modification. In Figure 1.19, the identification of exposures  leads to the formulation of an appropriate managerial response . This is then implemented at the business unit and functional levels, with the appropriate set of controls and evaluation criteria  to determine the policy’s effectiveness . The results of the implementation stage are then reviewed in the light of the firm’s overall corporate performance , changes in strategic objectives, and the changing business environment, which in turn restarts the evaluation process, leading to changes in policy . The process is continuous as in step 6 in our decision approach the risks are kept under constant review. This is because the nature of the firm changes over time, as do the risks it faces.
The risk management process is, therefore, a continual adjustment of the firm’s exposures in the light of changing conditions, the firm’s own capacity to operate its hedging and insurance programme, and the cost–benefit trade-offs involved.