Risk management is a term of art used to describe complex activities where an organization identifies and assesses its risks and then creates a plan for addressing those risks. Risk management goals include protecting the organization's profitability (bottom line), ensuring that the organization meets its regulatory compliance requirements, and assuring that the organization can achieve its mission and key objectives.
Risk assessment refers to the process of identifying the threats and vulnerabilities that an organization faces (collectively called risks) and then assessing the organizational impact of those risks should they occur. There are two main types of risk assessments. A quantitative risk assessment is one that uses real numbers to calculate risk and potential loss. In a quantitative risk assessment, risk is measured in terms of a percentage of likelihood of occurrence and the dollar value of any subsequent loss. A qualitative risk assessment is one that uses scenarios and rating systems (e.g., low, medium, and high) to calculate risk and potential harm. There are a number of different published methodologies for conducting both quantitative and qualitative risk assessments.