As the Christmas season approaches, many will be considering the cost of celebrating the festival. Especially in the West, Christmas is now characterised (sadly) by commercialisation and materialism, imposing a significant cost burden particularly on families. Is it worth it? As we seek to manage risk effectively, questions of cost also arise since risk management is not free. There is no "zero-cost option" for risk management, and the costs to be paid fall into three categories : one-off, ongoing, and occasional.
隨者耶誕佳節的來臨，許多人會考慮慶祝節日的成本。尤其是在西方，耶誕節現在的特色（很遺憾地）為商品化與物質化，因而增加了許多成本負擔，特別是在家庭上，這是否值得？當我們尋求有效地管理風險時，也有成本的問題，因為風險管理不是白吃的午餐。對風險管理而言，沒有「零成本」這個選項。要付出的成本有三種類型：一次付足、持續付出、偶而付出。

First are the costs of entry, paid once to establish a risk management capability. The primary cost here is for the "Three T's" : techniques, tools and training. Any organisation wishing to manage risk has to invest in the necessary infrastructure to support the risk process. Techniques and procedures must be developed and rolled out. Tools to support the process must be bought or developed. And staff must be trained to use the techniques and tools effectively. If the entry cost is not paid, risk management remains merely a good intention, with no capability to deliver.
第一種是進入成本，付出一次以建立風險管理能力。這種成本主要是為了三個T：技術(Techniques)、工具(Tools)、以及訓練(Training)，任何想要管理風險的組織，都必須要投資於支持風險程序的基礎建設，技術及流程必須被發展出且啟動，必須購買或發展支持程序的工具，且員工必須被訓練到可以有效地使用技術及工具。如果沒有付出進入成本，風險管理僅是一種好的意圖，但缺乏促其實現的能力。

The second type of costs are for ongoing maintenance, to preserve an effective organisational risk management capability. It is important to keep the risk process fresh and up to date. Without ongoing development of the risk process, there is a danger of losing effectiveness. Risk management is a developing discipline, and new techniques and tools emerge regularly. Even the conceptual basis continues to grow as new ideas become accepted into the mainstream. Effective risk management requires refresher training to maintain and develop staff skills, as well as revitalising the process to incorporate recent developments and new approaches. On average an organisation should aim to refresh its risk process every 2-3 years to stay up to date.
第二種成本是為了要持續維持，為了有效維持組織風險管理的能力，保持風險程序是在最新狀態是重要的，若不能持續發展風險程序，就會有失去效果的危險。風險管理是一個發展中的學域，新技術與工具經常會出現，而當有新想法為主流體系接受時，甚至概念基礎也還會持續成長。有效的風險管理需要增補的訓練以保持及發展員工的技巧，以及配合最新發展及新途徑以更新程序。平均而言，一個組織更新其風險管理程序之目標應為2-3年，以保持在最新狀態。