Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

How Should You Audit and Assess Risk Management?

Comments Views

​A few years ago, I wrote that CAEs who didn't audit risk management at their organization "deserved a seat at the children's table."

This upset a few people, including some in positions of authority.

But the underlying position has become pretty much accepted around the world, and is even required by a number of corporate governance codes.

If you don't have manage risk effectively (it's better to talk about how the organization as a whole manages risk than infer you are talking about the risk management function), then you are driving the freeway of life without looking ahead.

Risk management is about more than the periodic review of a list of top risks. That is driving the freeway of life and only looking up and ahead every 15-20 minutes.

Risk management is about:

  • Setting the right strategies and objectives to deliver value, considering what might happen (risk).
  • Understanding how the achievement of objectives may be affected by events and situations as management and staff execute those strategies.
  • Acting to modify the likelihood and effect of those events and situations, recognizing that each event or situation can have multiple consequences — some favorable and some adverse.
  • Ensuring that decisions are informed and intelligent, whether in setting or modifying strategies, or in executing them every day through management decisions across the extended enterprise, such that the right levels of the right risks are taken.
  • Monitoring and reporting so that board members and senior managers understand not only the levels of individual sources of risk, but whether they are likely (or not) to achieve each of their objectives.

You could audit and assess risk management in a number of ways. For example:

  • An audit of compliance with corporate risk policies and procedures.
  • Assessing risk management maturity, using one of the available risk management maturity models (I have a few in World-Class Risk Management).
  • Assessing whether the principles for effective risk management are achieved (drawing on those in ISO31000:2009 or in COSO ERM 2017 — see here for a discussion).

I personally like a risk and objectives-based approach to pretty much any audit. Here the objective is to manage risk at desired levels. There are multiple risks to achieving that objective (again, described in detail in my book), such as failures to:

  • Include the appropriate people in decisions, where risk is taken.
  • Obtain reliable, current, and timely information on which to base decisions.
  • Address cognitive bias, which can affect both an individual and a group's assessment of risk.
  • Ensure the desired attitude towards risk: behaviors that are influenced by the culture of the organization, a location, function, or business unit.
  • Obtain buy-in from all key individuals at all levels of management.

This is what I recommend for anybody seeking to audit and assess risk management (or the management or risk).

  • Understand risk management and its principles. The ISO31000:2009 and the 2017 COSO ERM Framework are just two possible sources, but I would also recommend my book and that of John Fraser, Implementing Enterprise Risk Management: Case Studies and Best Practices.
  • Understand what the organization needs from risk management. Start with understanding how and where decisions are made and risks taken. In fact, understanding who makes decisions and therefore takes risk is critical to understanding how risk is managed. Is it centralized or decentralized? Do individuals have a lot of autonomy and decision-making or is consensus required? Is risk dynamic, volatile, or relatively stable?
  • What are the risks to effective risk management? What could go wrong and what needs to go right for there to be reasonable assurance that the right levels of the right risks are taken? ("Right" means what is desired and possibly approved by the executive management team and the board.)
  • What controls are in place to address these risks?
  • Is the design adequate? If the controls are operating consistently as designed, is there reasonable assurance that risk will be managed at desired levels?
  • Perform controls testing to obtain assurance that they are operating effectively as designed.
  • Assess the results of your work. Where is risk management on the maturity curve? What can and should be done to improve it at an appropriate cost? Recognize that one of the costs may be slowing down decision-making and losing operational opportunities.
  • Communicate the results and your insights.

This should work.

It will provide assurance and insight on whether you have the right risk management for the organization, not just whether it complies with any standard or policy.

I welcome your comments.​

Please join the conversation by clicking Subscribe, below.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3