What is a risk assessment?
- A risk assessment is not an audit.
- A risk assessment is a method used to identify vulnerabilities which might prevent a department from achieving its goals and objectives.
- Part of the process is a review of mission and goals: Are your unit’s mission and goals in sync with the University’s mission and goals?
- Part of the process is to identify the activities of the department and determine what could prevent the area from achieving its goals or mission
- A risk assessment can be a formal process that assigns a score to risk based on impact and probability. Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed, or the likelihood of occurrence and impact on objectives
Why assess risk?
- To identify vulnerable areas within a department.
- To direct resources effectively. Too many people or too much time may be spent on processes that do not need that much attention while riskier processes are lacking in attention.
- To communicate risks. An end product that will visually show you and senior management where the problems are.
- Having assessed risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others, it may be to accept it.
How do you assess risk?
Risk assessments can be performed on a single process within a department, or they can be performed on a major function within the University. To the right you will find a link to instructions on the survey process. You will also find a template for Information Technology (IT) Risk Analysis Survey and Operational Risk Analysis Survey. You may perform the risk assessment on your own, but if you would like to have someone from Internal Audit facilitate a risk assessment survey for your department, please contact us at (804) 524-5295.
updated: September 2015