Yes, this is Cyber Risk 101, but risk analysis vs risk assessment is common confusion, so let Jack Jones explain it in an excerpt from his book Measuring and Managing Information Risk: A FAIR Approach:
Many people don’t differentiate “assessment” from “analysis,” but there is an important difference.
From a FAIR model perspective, risk analysis is often a subcomponent of the larger risk assessment process.
The broader risk assessment process typically includes:
• Identification of the issues that contribute to risk,
• Analyzing their significance (this is one place where FAIR fits in),
• Identifying options for dealing with the risk issue,
• Determining which option is likely to be the best fit (another opportunity to apply FAIR), and
• Communicating results and recommendations to decision-makers.
As you can see, “analysis” is about evaluating significance and/ or enabling the comparison of options.
Unfortunately, much of what you see today in risk management is assessment without meaningful (or accurate) analysis. The result is poorly informed prioritization and cost-ineffective decisions.
Bottom line— The purpose of any risk analysis is to provide a decision-maker with the best possible information about loss exposure and their options for dealing with it.
Benchmark your organization's risk skillset against your peers. Take the 2017 Risk Management Maturity Survey.