Enterprise Risk Management and Internal Control both contain components called Risk Assessment. So, Risk Assessment is a part of the control process, or a component of control. Risk assessment always starts with clear objectives, then goes on to identifying controls and risks. If objectives are not clear, the risks are too many to even try to identify!