First of all, a risk strategy has to be established which determines how risks are managed. This risk management plan has to include among other things business objectives, budgets and time frames, structural workflows and the ratio between potential opportunities and risks.
And finally, the risks have to be identified and defined/categorised (e.g. financial vs. personal risks), and causes and first symptoms of potential risks have to be detected. This identification of potential risks forms the basis for any additional risk management