I thought about risk assessments and risk management when pondering that as companies become more mature in their compliance programs, they can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes posit that the initial step a company must take to create an effective risk management system is to understand “the qualitative distinctions among the types of risk that an organization faces.” The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. They state that companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.