Up front, this seems like an easy question to answer.
‘It’s to help us understand our risks.’
That’s true but then, what? What comes next?
If we start a risk assessment with no clear idea of what it’s to be used for, we will end up with something that’s unfocussed and doesn’t provide the insight we need. Or we might end up losing our way as we get spread too thin trying to assess everything.
Sadly, I’ve been part of dozens of projects where I knew that the final report was going to end up sitting on someone’s desk gathering dust or overlooked on a hard drive. They knew that they ought to have a risk assessment but just weren’t sure what to do next. Somewhere along the line the report gets lost and forgotten because no-one else was wondering where it was. No-one else was depending on it.
And that’s assuming we managed to finish the assessment in the first place.
The risk assessment, indeed the risk management program generally, should help the organization achieve its objectives. Specifically, the risk assessment is to help decision-makers understand the risks that might stand in the way of progress. Or the risks they should take advantage of to help drive things forward.
The point is that the risk assessment is a tool to help support decision-making.
You need to drill into what the specific point of each assessment is before you start but the first thing you need to do is to remember that this is a means to an end, not the end in itself. This is a critical part of your organization’s decision-making process, not something that sits in isolation.
So the more accurate answer to the question is:
‘Our risk assessment help us understand our risks so we can make better decisions’.
What that decision is depends on the situation but keep this in mind and your assessment will be more focussed, more efficient and more effective.