For many years, I used (and continued to develop) a tool that helped with risk discussions with board and top management. You can access a copy here. (By the way, I have made a number of other files available from my LinkedIn profile).
The tool is a vehicle for talking about risks to the business. It is somewhat similar to a risk register, but it is easier for most executives to work with a visual representation.
First, I talk to the executives about the diagram and ask whether it includes the more significant risks.
Then, we go though each area and assess the various risks.
The results are aggregated and I put together a summary (usually in the form of a heat map or hi:lo chart) to discuss with the board. The risk assessment is used to create the periodic audit plan.
Questions for you:
- Is this useful?
- How would you change it?
- Can you share your approach and, especially, tools?