A risk assessment is the identification and analysis of relevant risks to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed. Risk assessments begin with an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it's an analysis of what could go wrong.
Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed. Finally, having identified and assessed a risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others, it may be to accept it.
An operating unit's risk assessment activity should be an ongoing process. Internal and external threats constantly develop, presenting new hazards to the organization. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level. Each operating unit at the University faces its own challenges and must assess how it will manage them to meet its objectives. A good internal control system can mitigate those risks, and the Internal Audit office can advise you on developing good internal controls.
If you have a control already in place and you would like to know how well it is functioning, Internal Audit can either work with you to devise tests for you to conduct, or take on a special project where we test that control.