Sometimes, a suitable position is to at least limit the risk of the more susceptible to some risk level above which it seems too inequitable to leave them out of the risk. The idea of not increasing lifetime risk by more than one in a million has become common place in public health discourse and policy. How consensus settled on this particular figure is unclear.

In some respects, this figure has the characteristics of a mythical number. In another sense, the figure provides a numerical basis for what to consider a negligible increase in risk. Some current environmental decision making allows some discretion to deem individual risks potentially "acceptable" if below one in ten thousand increased lifetime risk. Low risk criteria such as these do provide some protection for the case that individuals may be exposed to multiple chemicals whether pollutants or food additives, or other chemicals.

But both of these benchmarks are clearly small relative to the typical one in four lifetime risk of death by cancer due to all causes combined in developed countries. On the other hand, adoption of a zero-risk policy could be motivated by the fact that the 1 in a million policy still would cause the death of hundreds or thousands of people in a large enough population. In practice however, a true zero-risk is possible only with the suppression of the risk-causing activity.

More stringent requirements, or even the 1 in a million one, may not be technologically feasible at a given time, or so expensive as to render the risk-causing activity unsustainable, resulting in the optimal degree of intervention being a balance between risks vs. For example, it might well be that the emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the available alternatives.

In some unusual cases, there are significant public health risks, as well as economic costs, associated with all options. For example, there are risks associated with no incineration with the potential risk for spread of infectious diseases or even no hospitals. But, often further investigation identifies further options, such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator, that provide a broad range of options of acceptable risk - though with varying practical implications and varying economic costs.

Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analysis, consideration of options, and then further analysis.

In auditing, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control. In auditing, audit risk includes inherent risk, control risk and detection risk. There are two methods of risk assessment in information security field, qualitative and quantitative.

Qualitative risk assessment is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required. Qualitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed.

Qualitative risk assessments are descriptive versus measurable.

In project management, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should that risk occur[3]. Quantitative risk assessments include a calculation of the single loss expectancy SLE of an asset.

The single loss expectancy can be defined as the loss of value to asset based on a single security incident. The ARO is an estimate based on the data of how often a threat would be successful in exploiting a vulnerability. The annualized loss expectancy is a calculation of the single loss expectancy multiplied by the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a financial perspective to justify expenditures to implement countermeasures to protect the asset.

Barry Commoner, Brian Wynne and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards.

