Risk assessment

A risk assessment is the practice of reviewing an organization's activities and investments to determine the likelihood of loss. A business gains the following advantages from the risk assessment process:

  • It can decide whether to make a new investment or sell off an existing investment.
  • It can determine which actions to take in order to mitigate certain risks.
  • It can decide whether there are significant upsides related to certain risks that make it worthwhile to retain those risks.

Risk assessments must be completed at regular intervals, so that changes in the financial and operating environment can be included. For example, a decline in general economic conditions could increase the expected rate of default on mortgages issued by a bank. Or, changes in weather conditions could alter the expected quantities of grain that will be shipped by a freight transfer company, which alters its cash flows. As another example, a company has just acquired another business, and conducts a risk assessment related to all aspects of the acquiree, such as the likelihood of customer turnover, employee theft, and product recalls. Or, a risk assessment of a company's computer systems could result in the identification of several security holes that a hacker could exploit.

There are a number of risk mitigation techniques that may be pursued. For example, procedures can be altered to eliminate risky practices. Or, risk can be handed off to a third party, perhaps by outsourcing activities or buying insurance. In some cases, management may deliberately choose to retain risk, especially when the business has a deep knowledge of the risk area and believes that it can effectively manage the risk.

Risk assessments are conducted by the chief risk officer (CRO). If there is no CRO, the task is usually taken over by the chief financial officer.