What is risk assessment?

Risk Assessment is management's process of identifying risks and rating the likelihood and impact of a risk event.  An internal control assessment can be performed at the same time.  This takes the risk assessment and maps internal controls to the risks to determine if there are gaps between risks and controls.

A Risk Event is a potential event or missed opportunity that may negatively impact your ability to meet your business objectives.

Likelihood is how likely it is for a Risk Event to occur.  

Impact is how much impact a Risk Event may have on your operations.

Inherent Risk is the risk to an organization in the absence of any actions management might take to alter the risk's likelihood or impact.

Control is an activity that helps ensure that management directives to mitigate risk are carried out.  

Internal Controls are control activities including policies that establish what should and should not be done and procedures that are the actions to implement the policies.  Control activities either deter undesirable acts or prevent errors from occurring (preventative) or find undesirable acts or errors after they've occurred and provide evidence as to whether the preventative controls are effective (detective).  Internal controls are either automated by software or manually performed.

Residual Risk is the risk remaining after management has taken actions to alter the risk's Likelihood or Impact.

Process Maps are graphical representations of your program's key processes including internal control activities.

Performance Measures identify your program's true measures of success.

A Risk Score is a mathematical equation where Impact, Likelihood and other risk measurement factors are assigned weights and calculated in a manner to create a stack ranking or heat map of risks.

A Risk Control Matrix shows how internal controls address each of your program's risks.

The model shows a colored bar that alternates from left to right in color: yellow, green yellow then red. The first yellow section is labeled low level, the green section risk appetite, the second yellow section risk tolerance, and the last red section high level.

Risk Appetite is the amount of risk, on a broad level, that an organization is willing to accept in pursuit of value; it reflects the enterprise's risk management philosophy and in turn influence's the entity's culture and operating style.

Risk Tolerance is the acceptable level of variation relative to the achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.


The Strategic Risk Assessment Process includes seven steps, representing a continuous process for organizations to assess and manage risks. While depicted differently in this image, these seven steps align with the components in COSO’s 2017 Framework.