Chapter 2. A Risk Assessment and Risk Management Primer

Chapter Goals:

  • Define risk assessment.

  • Define risk management.

  • Understand the differences between the two concepts.

Before you begin your risk initiative, let’s define some terms. Some people want to use “risk assessment” and “risk management” interchangeably; but they are in fact different. In short, you assess your risks so you can more effectively address those risks. A risk assessment includes the processes of identifying, analyzing, and evaluating the severity of risks. Performing these steps helps determine the best way to address those risks: to monitor, minimize, or mitigate their impact. Assessing and addressing risks together form the foundations of risk management.

To further connect these two terms, it is helpful to understand that risk management comprises a general set of processes that can be used for a variety of purposes. For example, large corporations may have a whole department dedicated to risk management, which might focus on anything from operational to liability to financial risks and more. Alternately, some organizations may only do more highly focused forms of risk management—for health and safety, natural disasters, IT infrastructure, or legal and regulatory compliance, to name a few. At the far end of the continuum is enterprise risk management (ERM), which involves a framework that aims to assess and address all forms of risk.

But, this book is about compliance risk management, which means we want to identify, analyze, and evaluate the risks of an organization being noncompliant with applicable laws and regulations, and we want to use the results to minimize or mitigate the risks. Certainly, this sort of risk management can overlap with and be integrated into other forms of risk management. For instance, if your organization is just beginning to assess and address compliance risks, then integration with an ERM framework might be a long-term goal. But for the most part, we will stay focused on compliance.

Before we can explain how to go about assessing compliance risks, we need to understand the basic premises of risk and understand how an organization’s tolerance of risk impacts the process. This base knowledge will help drive the question of what will be the universe of risk to be assessed.

This document is only available to subscribers. Please log in or purchase access.