*The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. This means that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments. * ...

In the simplest of terms, risk management helps you function in the real world. Organizations are under constant assault from both anticipated and unanticipated events which threaten to derail their plans. Risk management is what helps them understand, prepare for and react to these events. The largest firms will spend thousands of hours and billions of dollars on risk and compliance annually and there are dozens of different standards or methodologies to help guide the risk manager. But what do you do if you are a small organization and there is no money for training or consulting? Or if risk management is the second or third responsibility on your job description – the one you never quite get around to? ...

*Understanding is not the same as having information – it is the process of putting that information into context to work out what it means in a particular situation. We conduct a similar process on a larger scale during the ‘understand’ stage of the risk management process. During this time, we build on our knowledge of an organization to understand the risks it faces. * The term ‘understand’ is both an activity and a stage in our risk management process. As an activity, understanding means relating that information to a situation. Chess is often used as an illustration because I may know the names of the pieces on a chess board and what they can do, but I could still not understand chess. How the pieces interact, the set moves, strategies and how to apply these are all necessary to understand the game. Understanding can be achieved by asking the questions ‘why?’ or ‘so what?’ until you run out of questions. ...

Risk and risk discussions are often hampered by inconsistent terminology and a high degree of subjectivity. To overcome this, we need to understand what we mean when we ask ‘what is risk?’. This article lays out a concept for risk using the ISO definition – the effect of uncertainty on objectives. It breaks individual risks into their three main components: threat, vulnerability and impact for downside risks or opportunity, and exposure and impact for upside risks. These concepts form the basis for all subsequent risk discussions and lay the groundwork for a risk assessment methodology. ...