What does risk assessment involve?
The classic definition of risk assessment is identification of anything that is harmful to the organization’s objectives. The analysis should include both internal and external factors, and also cover financial and nonfinancial objectives. Risks are traditionally evaluated in terms of likelihood (What are the chances that this event could happen?) and impact (What would be the effects on the business’s objectives if it were to happen?). Turning these broad concepts into actions and responsibilities can create issues, most notably when defining how often the risk assessment activities should be performed and who should be involved. Many organizations treat risk assessment as an annual task to involve senior management, internal audit or the risk and control department. This treatment, however, will miss the perceptions of employees involved in day-to-day operations, as well as eliminate the chance for refinements during the course of the year. In small and medium-sized organizations in