Which of the following steps is NOT part of mitigating operational risk?

The correct answer is the choice that states "Assume all risks can be eliminated." This statement is not part of mitigating operational risk because a fundamental principle of risk management is the understanding that risks cannot be completely eliminated. Instead, organizations must identify, assess, and manage risks in a way that minimizes their impact and likelihood.

Mitigating operational risk involves recognizing and addressing potential vulnerabilities in business processes. The other steps listed are critical components of effective risk management. Identifying risks helps to pinpoint where potential issues may arise, while assessing those risks allows for a deeper understanding of their potential impact due to changes in operations. Furthermore, identifying appropriate controls is essential for reducing the likelihood or impact of these risks. Therefore, it is unrealistic and counterproductive to assume that all risks can be eliminated, as this overlooks the inherent uncertainties in any business operation.