Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial, and compliance risks to which the organization is exposed. In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks – those that could impact the organization’s ability to achieve its strategic objectives.
Most organizations also conduct internal audit risk assessments to aid in the development of the internal audit plan. A traditional internal audit risk assessment is likely to consider financial statement risks and other operational and compliance risks.
While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither is designed to specifically identify legal or regulatory compliance risks