The proposed EU AI Act is the first comprehensive attempt to regulate AI in a major jurisdiction. This article analyses Article 9, the key risk management provision in the AI Act. It gives an overview of the regulatory concept behind Article 9, determines its purpose and scope of application, offers a comprehensive interpretation of the specific risk management requirements, and outlines ways in which the requirements can be enforced. This article is written with the aim of helping providers of high-risk systems comply with the requirements set out in Article 9. In addition, it can inform revisions of the current draft of the AI Act and efforts to develop harmonised standards on AI risk management.