Risk management is the process of deciding how best to respond to risks. While one would clearly like to eliminate all risks, this is not feasible. People willingly accept risks from a wide range of activities, such as driving automobiles, crossing streets, and eating hamburgers. The question of whether a risk is acceptable is not a purely technical question. Rather it is a question that depends on values. While it might simplify matters if we could set a simple threshold for acceptable risk, perhaps a one in a million lifetime risk, and say that activities more risky than this are “unacceptable” and those less risky than this are “acceptable”, there are two reasons why this approach does not work. The first is related to risk perception. The public does not react to risk simply in terms of its expected annual fatalities. Thus the acceptability of a risk in the public’s eyes is not simply a matter of the probabilities of fatality but includes other aspects of the activity, such as: whether the activities are undertaken voluntarily; whether the process that leads to the risk is a new process or an old and familiar process; and whether their risk provokes an emotional 'dread' reaction or not. This aspect of defining acceptable risk must be worked through using the process of risk communication and engagement described above.

Some activities are considered essential and must be tolerated even if they produce relatively high risks. In other cases there may be inexpensive alternatives to the activity which are less risky or modifications to the activity which make it less risky. In these cases the risk might well be judged unacceptable because such readily available alternatives exist.

Traditionally, risk management was not included in the risk assessment process (NRC, Red Book, 1983)[1]. However, a new paradigm (see figure below) from NRC’s Science and Decisions: Advancing Risk Assessment (NRC, 2008)[2] has allowed integration of risk management into the risk assessment process. Specifically, it organizes the traditional four steps into three phases, which allows risk management its own section entirely. Risk management is placed in Phase 3, where it utilizes quantitative information from Phases 1 and 2, as well as considers the socio-economic impact a decision may have. Risk management analyzes the relative health or environmental benefits of the proposed risk management options and evaluates them for the purpose of reaching a decision [1].

Risk management interprets the social science of risk to include economic and cultural influences in the decision making process. Public perception and compliance are also key to identifying areas of risk that are influenced by the general public thought. The methods of analysis through which cost/benefit decisions are made is often determined by quantitative information obtained in Phases 1 and 2 of risk assessment. These decisions often involve implementing new procedures for dealing with specific risks. The control measures associated with these procedures are summarized as well as expanded upon through specific risk management case studies.

Risk assessment paradigm from the National Academies of Science[2].