Risk Management, Risk Assessment, Risk Analysis — These 3 terms all loosely refer to important activities used to identify and analyze potential risks facing an organization. In fact, standards created for different sectors and industries define them differently. No particular nomenclature is preferred as long as they are applied consistently. This article describes the way the ISO 31000 standard defines these activities, as leader for generic risk management.

Risk Assessment is the overall name for the process of three activities: risk identification, risk analysis and risk evaluation. All of these should be conducted systematically, iteratively and collaboratively, drawing on the knowledge and views of stakeholders. These processes helps organizations to manage uncertainty and encourage informed decision-making. It is an integral and critical part of enterprise risk management.

Some other benefits of risk assessment include:

✅ Improved security policies/procedures
✅ Increased communication and employee awareness
✅ Saved time, money, and reputation

By employing risk assessment, organizations can identify risks and take early action to mitigate potential consequences or enhance potential opportunities. The most important part of risk assessment is risk identification.

So, how does an organization go about risk assessment?

The Process of Risk Assessment

Risk assessment is a complex process; an organization must take into account all internal and external contexts and establishing risk criteria. (Risk Criteria will be explained in greater detail in our next post.). Internal context might be financial data, and external context might be marketing forecasts. The structure and undertaking of risk analysis are outlined in-depth in the risk management standard ISO 31000. The tools for each activity in risk assessment are addressed and taught in great detail in “ISO 31010, Risk Management –Risk Assessment Techniques”.

Organizations can break risk assessment into three simpler steps:

1. Risk Identification

Find, recognize and describe risks that might help or prevent an organization from achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks. Consider the following when identifying risk:

— threats and opportunities;
— changes in the external and internal context;
— emerging risks;
— consequences and their impact on objectives;
— limitations of knowledge and reliability of information;
— timeframes and time influences;
— biases, assumptions and beliefs of those involved.

2. Risk Analysis

Risk analysis seeks to comprehend the nature of individual risk previously identified, and its consequences, attempting to establish the level of risk which exists. (Level of risk will be explained in greater detail in our next post.) Consider:

— the likelihood of events and their possible consequences;
— the magnitude of consequences upon your objectives;
— the effectiveness of existing controls;
— sensitivity and confidence levels of your analysis.

The output of your risk analysis provides an input to risk evaluation: that is decisions on whether this risk needs to be treated and the most appropriate risk treatment strategy and methods. The results provide insight for decision making, where choices must be made, and the options involved for different types and levels of risk.

3. Risk Evaluation

Risk evaluation enables you to support your organization’s decisions on risks, both internally and externally. It involves comparing the results of the risk identification and subsequent analysis with your pre-established risk criteria to determine the significance of a risk and whether or how to treat it. This can lead to a decision to:

— do nothing further;
— consider different risk treatment options;
— undertake further analysis to better understand the risk;
— maintain existing controls;
— reconsider objectives.

Recording, communicating and validating your outcomes of risk evaluation provide tremendous value to your organization, bringing you closer to achieving your objectives. 


Change your life and career - in just 9 hours!

Make brilliant decisions effortlessly.

Rely on a risk management framework that always works.

Online, self-paced, easy-to-understand ISO 31000 course with certification.