As consultants, we often hear people use the terms Risk, Risk Management, Risk Assessment, and Risk Analysis, to describe a wide variety of things. While this may not be a big deal to most, for those who are tasked with performing that work, it can cause confusion and an occasional misunderstanding (due to missed expectations).
While there are some overlap in the actual work that those terms define, (e.g. Risk Management and Risk Assessment both include Risk Analysis) there are differences that are worth pointing out.
Risk Management
First lets start with Risk Management. According to the Marquette University Risk Unit, risk management is the continuing process to identify, analyze, evaluate, and treat loss exposures and monitor risk control and financial resources to mitigate the adverse effects of loss. We typically simplify this a bit and describe it as the Identification, Analysis (or Measurement), Treatment and Monitoring of risk.
Risk Assessment
According to the Open Group, risk assessment includes processes and technologies that identify, evaluate, and report on risk-related concerns. As stated in NIST 800-30, the risk assessment process is a “key component” of the risk management process. Using the simplified definition of Risk Management above, it is primarily concerned with the Identification and Analysis phases.
Risk Analysis
Again referencing the Open Group, risk analysis can be considered the evaluation component of the broader risk assessment process, which determines the significance of the identified risk concerns. Simplifying this a bit, we can think of risk analysis is the actual quantification of risk (i.e. calculating the probability and magnitude of loss).
So from a hierarchical perspective: Risk Analysis is part of Risk Assessment, which in turn is part of Risk Management.