A risk assessment begins by identifying all the risks the organization and its business units and functions face. It then moves on to measuring the magnitude and likelihood of the potential losses associated with those risks (or the risk exposure). The company must allocate risk-management resources only to the risks that warrant them; you don’t buy flood insurance if you live in the desert.
Risk exposure is the potential monetary losses that could occur if a risk became a reality. So if a bank has loans to Russia totaling $2.5 billion, management would say, “Our total exposure in Russia is $2.5 billion.”