A Risk Assessment Tool for Auditors and Risk Officers

For many years, I used (and continued to develop) a tool that helped with risk discussions with board and top management. You can access a copy here. (By the way, I have made a number of other files available from my LinkedIn profile).

The tool is a vehicle for talking about risks to the business. It is somewhat similar to a risk register, but  it is easier for most executives to work with a visual representation.

First, I talk to the executives about the diagram and ask whether it includes the more significant risks.

Then, we go though each area and assess the various risks.

The results are aggregated and I put together a summary (usually in the form of a heat map or hi:lo chart) to discuss with the board. The risk assessment is used to create the periodic audit plan.

Questions for you:

  • Is this useful?
  • How would you change it?
  • Can you share your approach and, especially, tools?

Posted on Jul 12, 2010 by Norman Marks

Share This Article:    

  1. It's a good model diagram.

    Have you seen Her Majesty's Treasury Risk Management Assessment Framework?

    It's a good tool which might also aid discussion and assessment of risk maturity in any organisation, with a bit of tweaking.

  1. Hi Paul, thanks for the comments. I referenced the document at http://www.theiia.org/blogs/marks/index.cfm/post/A%20Useful%20Framework%20for%20Assessing%20Your%20Risk%20Management%20Program. That is the one you are suggesting might be used?


  1.  Norman

    The framework from Treasury has been taken by Alarm (The National Forum for Risk Management in the Public Sector.) and developed into a risk maturity model 
    and a benchmarking club. I sit on the board of Alarm and if you're interested myself or Peter Andrews would be happy to share the thinking behind it.
  1. Hi Norman,

    Yes that's the right model.

    It's based on the EFQM (European Foundation for Quality Management) Excellence Model, which you might know an equivalent Malcolm Baldridge National Quality Awards - Performance Excellence.

    I have given the model to the Risk Manager to score, the Risk Management Committee, then the Board. I have then conducted an assessment by Internal Audit which must be based on objective evidence.

    Then, you can compare across all views.

    It actual creates a stimulating debate. The organisation asks itself what rism maturity do we need to run the business? Do we need to be box 5's or is box 3 acceptable and "fit for purpose". It might produce an action plan.

    But it certainly is the best tool that I've found that will fill the gap between within the IIA's Risk Based Internal Audit (RBIA) Position Paper.

    The gap of course is that in order to decide on Internal Audit's approach within RBIA, we must firstly assess "risk maturity" on the following scale: Risk Naive, Risk Aware, Risk Defined, Risk Mature, Risk Enabled. 

    However, the gap is that there is nothing to advise Internal Audit how to make that assessment.

    That is where I use Treasury's Risk Management Assessment Framework, as I think it's best in class, and enables an informed discussion with management and produce a consensus view on risk maturity - so its not just something secretive within Internal Audit.

  1. Under the new UK Corporate Governance Code, there is a greater responsibility placed on the Board to challenge, and question leadership, strategy, long term planning, risk, the business and the performance of the Board committees, being some of the key areas to address.


    What you do in the risk space covers some areas that are covered in a Board Evaluation (new style) which is one specific business offering we provide (Genius Methods www.geniusmethods.com).  We run our process on the ComplySoft questionnaire and diagnostic tool.


    Please follow  http://www.theiia.org/blogs/marks/index.cfm/post/A%20Risk%20Assessment%20Tool%20for%20Auditors%20and%20Risk%20Officers#commentForm

    for the full text of the reply.



    Well Norman,  it is a good place to start for a presentation but it is not an actual  tool yet.
    I would use it as basis for a questioner  / check list
    ( Offline Excel, Online Web based ) that yields a spider diagram or greens your similar looking diagram at the righ place 
  1. Norman,

    This is a useful picture of how we deal with executive management when assessing risk and developing our annual plan.  And, we've done this to help drive home the need for an "Enterprise Risk and Compliance Program" which we've recently launched.  The chart-like approach will be useful to us as we continue to develop awareness and gap-closure process. 

  1. Dear All,

    I have been attending the SIG on Enterprise Risk with the IRM, and very interesting it is too - the last SIG was on Risk Appetite.. so there are no "definitions" agreed as yet, much to my chagrin.

    I concur the Treasury/ALARM/CIPFA (basically ALARM) benchmark is the most useful.

    However, agree that to clarify what the levels mean requires deeper questions / checklists to underpin the results - i.e. not the helicopter view questions provided with the model.

    Does anyone know of such questions?

    Regards, Alex

  1. I agree, it is easier to work with visual presentations.  Great risk assessment tool.  I am both a visual and hands on learner.

  1. Tool evaluation

Leave a Reply