Risk is a fact of business life. Taking and managing risk is part of what companies must do to create profits and shareholder value. But the corporate meltdowns of recent years suggest that many companies neither manage risk well nor fully understand the risks they are taking.

We define risk broadly to include any event that might push a company’s financial performance below expectations. Typically, the measure used is capital at risk, earnings at risk, or cash flow at risk, depending upon whether the focus is on the balance sheet, the income statement, or cash flows.

Risk comes in four main varieties. The first, market risk, takes the form of exposure to adverse market price movements, such as the value of securities, exchange rates, interest rates or spreads, and commodity prices. Ford, for instance, was hit by market risk in 2002, when palladium prices tumbled and it had to take a $952 million write-down on its stockpile.

Credit risk is exposure to the possibility that a borrower or counterparty might fail to honor its contractual obligations. In 2002, for instance, The Bank of New York announced that it would increase its loan-loss provision by $185 million, to a total of $225 million, for the third quarter of 2002, largely because of loans it had made to telecom companies.

Operational risk is exposure to losses due to inadequate internal processes and systems and to external events. For example, Allfirst, a Baltimore-based subsidiary of Allied Irish Banks, lost $691 million at the hands of a single rogue trader whose practices went undetected for five years until he was caught in 2002.

Finally, business-volume risk, stemming from changes in demand or supply or from competition, is exposure to revenue volatility. The leading US carrier United Airlines, for instance, filed for protection under Chapter 11 of the US bankruptcy code this year after falling demand hit its revenues.