what is a comprehensive risk assessment? does my company need one?

robert keenan, chief information & risk officer


Starting, running, or managing a business requires you to take risks. However, it is important to establish a risk management plan for any business endeavor in order to be successful. Risk management helps companies prepare for unanticipated future occurrences. To start managing your risk, you will need to conduct a comprehensive risk assessment.


What is a Comprehensive Risk Assessment?

A risk assessment is an organized method of identifying possible risks involved while carrying out a particular activity. Therefore, a comprehensive risk assessment goes one step further by discovering the risks and then categorizing them into three major classes: high, medium, or low risk.

The assessment provides an all-inclusive report detailing risks your business is currently or could potentially face. After discovery, each risk is then evaluated independently to determine the likelihood of them happening and rating each accordingly ordered from high to low.

Finally, the efforts required to remedy are indicated according to the ease of doing so (usually from easy to challenging). Quick and straightforward procedures (requiring, for example, less budget or resources) are implemented first, closely followed by medium-rated, and finally, the more difficult ones. 


What Does a Comprehensive Risk Assessment Cover?

1. Compliance and Operational Risk Review

Businesses across different industries must comply with various regulations and compliance requirements. Additionally, many firms and organizations continue to experience rising threats of non-financial risks, which include technology failures and operational mistakes. Thus, it is vital to conduct a review to ascertain that you are not only adhering to the laws governing the operations of your business but are also upholding operational risks at a manageable level.

Failing to conduct a compliance and operational risk assessment may lead corporate to losses, expensive litigation or fines, remediation costs from non-adherence to compliance, employee safety issues, or damage to the business’s reputation. The review encompasses a complete assessment of everything that touches compliance, operations, organizational structure resources, location, training, and policy & procedures.

2. Physical Security Assessment

This form of assessment can answer most of your questions as a business owner or executive. What are the biggest risks to my physical structure and my most valuable asset, my employees? Where is the business most susceptible?

A physical security assessment refers to an evaluation performed on the assets to be protected and the best strategies to employ outstanding protection measures. The review helps you to fix:

  •  Major threats facing your people and property.
  • Loopholes or weak points you may have disregarded previously.
  • Priority on how to tackle each item suitably.

The output of the security assessment highlights the following areas and give corresponding recommendations on what to do in each:

  • Physical restrictions or access control of the assets.
  • Reviews the security of the staff members when they are in your physical buildings/locations.
  • Establishes an emergency communication strategy.
  • Ensures there is a rapid response notification system in place.

3. Technology Assessment

Today, businesses rely on technology for almost all business functions. From email to document storage, inventory, and other day-to-day tasks, your business most likely operates online in one way or another. What would happen if your technology failed? Does your company have an efficient disaster & recovery plan? How effective are your existing data security measures?

Cybersecurity threats continue to rise as technology advances and attacks become more sophisticated. A high-level cybersecurity assessment is designed to identify the risks to one of the most vital corporate assets, your data. This review seeks to determine whether your business is well-prepared to frustrate attempts by cybercriminals to gain illegal or unauthorized access to your business data and networks. It also determines whether you have conducted security awareness training (SAT) and implemented advanced endpoint protection of your system.

4. Fraud Risk Assessment

The last thing you would want to ignore in business is fraud and potential fraudulent deals. A fraud assessment enables you to identify possible areas and gaps in your current controls that pose a risk to your organization. Basically, a fraud review reveals unknown dangers, especially when there are changes in internal processes and controls, organizational structure, or segregation of duties among various personnel. The fraud assessment will review the appropriate diligence procedures, employee threats, ineffective or non-existing controls, and protection and implementation plans.


Does Your Company Need a Comprehensive Risk Assessment?

Before you can decide whether requesting a comprehensive risk assessment is right for your business, you should ask yourself the following questions:

1. Do I have a feeling that I am missing something? 

If you feel this way, an assessment can help relieve and assure you if what you currently have in place is enough or if changes or improvements need to be made. For instance, many businesses were unprepared for the COVID-19 pandemic that hit the world in 2020. 2021 still holds many uncertainties – have you thought about and prepared for everything?

2. Do you have policies/protocol(s) in place? Are they enough?

If your response is no or you are unsure, you need a risk assessment to help put the necessary policies or protocols in place to remain safe and compliant. If you responded yes, a risk assessment would still help by reviewing your policies to ensure they are practical and obliging. This is because policies often change, so you need to assess them regularly.

3. Do you currently or did you recently have an issue?

A risk assessment can help to develop a plan to mitigate any identified risks exclusively.

4. What is the fallout and damage control?

A comprehensive risk assessment will help you identify what damage could be caused by each potential risk and help you prepare a strategic plan to mitigate such events.

5. Do you have an internal employee that monitors your processes and procedures?

When a new process is added or significant changes are made to your operations, a risk assessment should be conducted to ensure you capture any new potential threats or unplanned outcomes/consequences to remain prepared and compliant.

Conclusively, a comprehensive risk assessment will help you understand all the threats that could create problems for you and your company and create a proper plan for mitigating and addressing these issues. If you have any questions, please contact us. You can also learn more about our risk assessment services here.





Robert Keenan is the Chief Information & Risk Officer at Lutz with over 20 years of compliance and operational risk experience. He focuses on risk management, compliance, and security for the firm, and will partner with the operations team to drive process improvement and operational efficiencies for Lutz.

  • Risk Management & Compliance
  • Operations
  • Association of Certified Fraud Examiners
  • Society of Compliance and Ethics Professionals
  • National Society of Compliance Professionals
  • Certified Fraud Examiner
  • Certified Compliance and Ethics Professional
  • BA in Finance, University of Oklahoma, Norman, OK
  • MPA, Drake University, Des Moines, IA
  • Association of Certified Fraud Examiners - Heartland Chapter, Board Member
  • Oklahoma University Price College of Business, Board Member


We tap into the vast knowledge and experience within our organization to provide you with monthly content on topics and ideas that drive and challenge your company every day.

About UsOur Team | Events | Careers | Locations

Toll-Free: 866.577.0780Privacy Policy | All Content © Lutz & Company, PC 2021