Matthew Tuchow is Chief Compliance and Business Integrity Officer, Veterans Health Administration, U.S. Department of Veterans Affairs in Washington, DC.

I have yet to hear of an organization with unlimited resources to devote to compliance. To determine where to focus those limited resources, a risk assessment is a great tool. Risk assessment is a critical element of an effective compliance program, and in many ways, it should serve as its foundation. It helps an organization make an educated decision on which risks to prioritize given the reality that not all risks can be mitigated; even the top risks cannot be mitigated at the same pace.

A risk assessment is also a vehicle to educate your business partners about their roles as risk managers, which they may not currently understand. Assessments also carve out important time to have conversations about risk with business colleagues with whom you may not speak regularly, which may help unveil risk blind spots. I once assumed a business unit did no foreign business, and I therefore never considered the Foreign Corrupt Practices Act (FCPA) to be a risk area. Much to my surprise, however, I learned during such a conversation that the organization had just decided to seek foreign business.

My greatest lesson from having done risk assessments for years is that it is an art, not a science. At its core, a risk assessment is an opportunity to pull the right people together and make reasoned choices about the risks to mitigate, manage, or accept—and the order and pace at which to do so.

What follows are some fundamental aspects of a well-developed risk assessment that are, in my experience, often overlooked.