Risk assessment is the process of identifying variables that have the potential to negatively impact an organization’s ability to conduct business.
In a large enterprise, a risk assessment is usually conducted by the Chief Risk Officer (CRO). A risk assessments can be quantitative or a qualitative. In a quantitative risk assessment, the CRO assigns numerical values to the probability an event will occur and the impact it will have. These numerical values can then be used to calculate an event's risk factor, which in turn can be mapped to dollar amounts. Qualitative risk assessments, which are used more often, do not involve numerical probabilities or predictions of loss. The goal of a qualitative approach is simply to rank which risks pose the most danger.
This table illustrates an example of a quantitative assessment.
A risk matrix is a qualitative tool for sharing a risk assessment.