Risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it's an analysis of what could go wrong.
Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed.
Finally, having identified and assessed risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others, it may be to accept it.
The risk assessment process is an ongoing one. Internal and external threats constantly develop, presenting new hazards to the organization. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level.
Each operating unit at the University faces its own challenges and must assess how it will manage them to meet its objectives. A good internal control system can mitigate those risks, and the Internal Audit office can advise you on developing good internal controls.
The Ohio University Internal Audit Office assesses enterprise-wide business risks throughout the university. We seek input from the Board of Trustees, administrators and staff, faculty, students, and our external auditors on possible risks and their likelihood or importance. The results of the assessment are used to prepare future annual audit plans.