Assessing the Risk Management Program

The IIA Standards require that internal audit functions assess the adequacy of risk management programs (see here for a related post). But how do you do that?

In an earlier post, I provided some suggestions and recommended (and provided a link to) a risk assessment framework from the UK Treasury department. Some of my risk management expert friends have since looked at the tool and agree it is one of the best out there.

The ISO 31000: 2009 global standard for risk management advises that each organization should have a risk management program that meets its specific needs. That is good advice, because I don’t think a manufacturing company that markets its products solely to the US auto industry should have the same risk management program as a diversified global financial services company. Risk management at a non-profit or a government agency should be different, in terms of staffing, processes, and organization, from either the manufacturing or financial services company.

Is it sufficient to measure a risk management program against the standard or framework the organization has adopted (whether ISO, COSO, BIS, or other)? I don’t think so.

I believe the auditor should first seek to understand how risk management at his organization can add value to its operations.

Questions might include:
  • What are the risks that could cause the organization to fail — not just the ones that are ‘important’, but the ones that are crucial? Is it realistic that they might occur?
  • How critical is it to manage risks inherent in day-to-day transactions? Does the organization take on risks of massive size, and if so how often?
  • How critical is it to consider risk in day-to-day decisions? How often does management make poor decisions because they were not thinking about what could go wrong, or what could go right?
  • How often do potential events of significance arise? How much time does management have to respond? The shorter the time, the better prepared they should be!
  • How often do management and the board have to assess risks? If they tend to change rarely and slowly, then monthly or quarterly assessments may be adequate. But, if management has to be ready to respond to instant changes in the economy, in the competitive environment, in costs or selling prices, in the supply chain and logistics, etc., then risk assessment should be very frequent — perhaps continuous. I like to say “manage risk at the speed of the business”.
  • How many risks should be managed? How many risks, if not managed properly, could cause damage of significance?
  • Does management have a good track record of taking [corrective] actions to manage risks?

Once the auditor understands how risk management should add value, then the audit can start to assess whether it is effective in delivering that value.

Complying with somebody’s white paper on risk management may be fine — on paper. The real test is whether it meets the needs of the organization.

I welcome your views, including how you would change the list of questions above.

Posted on Nov 22, 2010 by Norman Marks

Share This Article:    

  1. Norman,

    A good list of questions and agree with you completely that one cannot use the same standard format for risk management across all industries and countries.

    I think one question which as auditors we fail to consider is - what is it which we don't know about the organization's risks? My point is that we see the obvious risks, without understanding the impact of slow creeping hidden risks. And it is these slow creeping risks which suddenly turn into a big risk and we start doing fire fighting.



  1. Norman,

    While I agree to your point on one standard format cannot be used for all industries. My experience has been that at the top risks are completely not understood for the organization and auditors fail to provide  the appropriate recommendations based on the risk the organization is carrying.

    Further 'Manage the risk at the speed of the business'  is very relevant and as Risk Managers we need to align with the business strategy of the organization

  1. A number of people (primarily on LinkedIn) have commented on IIA guidance, the need to look at the risk framework, etc.

    The point I am making is that risk management, or ERM, is a way to make more intelligent decisions and manage the business better.

    Like Finance, Legal, or Logistics, when you evaluate ERM you have to assess whether it meets the needs of the business. Assessing whether it complies with COSO ERM or ISO 31000 means nothing if it is not the 'right' risk management for the business - for example, it might be too extensive and costly than needed.

    There are choices in implementing ERM:

    - How many risks will be assessed?

    - How often will they be assessed?

    - How often will the executive leadership review and discuss risks?

    - How often will the board review and discuss risks?

    - etc.

  1. I would look at it from a different angle. The adequacy of risk management to me is the number of times a risk has been averted / (controlled damage) because suitable mitigation has been taken in time. As an auditor I would also see to what extent my understanding of risk is at variance with that of Risk management view on a particular risk, then further explore why the variance is there or what needs to be added to converge.

    On the issue of how many risks to be audited or how often; I would like to understand the size of the control that is mitigating the risk. By the size I mean that if the control fails the risk will be shooting in the high or critical zone. Of course there will be a tradeoff with the skills available in audit to cover all what one would like to cover but that does not mean that one should be covering all and sundry. I would also like to study the organisation from the view whether it is over controlled at the time of evaluation of risk management effectiveness.

    On the question of frequency of executive leadership and board to discuss risk, i believe that how earnest they are in implementing the necessary mitigation is also important, i.e. even if they meet quite frequently but are casual towards the implementation of controls really does not serve the purpose. A slack disciplinary process could also be an indicator.

    Again all this boils down to one thing and that is the number of surprises the organisation is encountering in running the business. maybe a trend analysis of past two years along with the industry wide incidents will help to take a view. Apart from all this I have a personal curosity to study the list of "Accepted Risks" by the management.

  1. Bishwajit,

    If the risks that could cause damage are infrequent and of only medium proportion, would you have the same intensity of risk management as a company with daily risk-taking in the billions?

    When you drive and the road is empty, do you pay as much attention to traffic as when there are many large trucks and motorbikes traveling at 100 kph around you?

    The same applies to an audit of risk management. We should not only be considering whether the risk management 'intensity' is sufficient, but whether it is excessive.

  1. Norman:

    I have not ranted for at least a week now and so here goes!!

    Anyone who would disagree with the questions you articulate in your blog as being other than excellent risk management questions- does not understand risk management at all. Having said this, such questions will not allow the average internal auditor to assess the adequacy of their company's risk management program. The questions need to be built around an assessment framework- from the top and then filtered down. Here is how it should work from my interpretation of the HM Treasury document.

    Is there anything more important in an assessment of an entity's risk management program other than  these three things:

    Assessing the company's capabilities in risk management

    Assessing how well they are currently handling the risks

    Assessing whether their risk management program has contributed and contributes to achieving outcomes of good risk management

    Each of the above three areas has a series of questions and subquestions that would be asked to allow the internal auditor to get answers. The document further has an assessment scale which would be used in obtaining answers to questions ranging from

    1 Awareness and understanding

    2 Implementation planned and in progress

    3 Implemented in all key areas

    4 Embedded and improving

    5 Excellent capability established

    Having stated all of the foregoing, it will take the average internal auditors quite some time to be able to effectively use the questionnaire as training in the various areas of risk managment is needed desparately using qualified risk practitioners.

    (Continued below) 


  1. (continued from above)

    Your statements that risk management programs at manufacturing entities should be different than say at financial service entities is confusing and I do not think you intended to say this. There is a risk managment process and a risk management framework. The risk management process must be the same at every company and it should follow the ISO 31000 process which is quite easy /straight forward. The framework must include core things at every entity but the level of detail/specifics will vary not only by industry but even within an industry. For example one of the pieces of the framework is the adequacy of policies in place. For one entity it could be two policies and for another it could be five

    The ensuing discussions by various participants following your blog is also off the mark in my opinion as is the opinion lodged by a consultant on one of your other related blogs on the "importance of the value chain to this entire effort"

    NO- the HM document is the only credible risk management assessment tool that I have seen to date. It needs further work to tailor it to the US market but it is a great start. The capabilities pieces focuses on risk leadership, people, risk policy/strategy and external partnerships. The results piece focuses on risk handling and outcomes (ie the benefits of doing risk management)

    Internal auditors should work hard to get an understanding of how to adequately assess their organization's risk management processes because if they do, they will not be discharging their responsibilities and this will give further ammunition to the myriad of consulting firms out there trying to get the ear of the board at various companies to outsource the internal audit work.




  1. Arnold, what is your reaction to the analogy of driving an empty road vs one that is full of speeding trucks?

    My point is that the auditor should not use the same standard for assessing risk management when the risks are infrequent and moderate, vs where the risks are frequent, of high-velocity (clock speed), and large.

    Do you spend the same money on cash management at a local brewery as at a global manufacturing company? Even if the total revenues are the same?

  1. Norman:

    Assessment of the adequacy of an entity's risk management program has nothing to do with whether the risks are infrequent and moderate or the other descriptions you use. If you wish to discuss further by private e mail, please communicate to me. Thanks

    Best regards,




  1. Norman,

    Back to the roots.  I consider ERM to be a contrl.  Controls have to be adequate, and that's all.  Adequate to give a reasonable assurance that the objectives will be mat.

    I like "manage risk at the speed of the business".  If the speed is too high, it mimits the maturity level of the ERM processes or activities, so Risk premium for the market has to be higher. 

    Best Regards


  1. Johan,

    Yes, I agree in absolute term with your comments that EMR is essentially 'control', but I 'm of the view that managing risk at the speed of the business is a 'suicidal business decision'. No matter the risk premium in the market, the essence of EMR and the objective of the firm cannot be relegated to the back ground. Risk is measurable so the capacity of the firm and the firm's risk tolorence level is of essence and should be given due consideration.

    Iam enjoying your comments



  1.  Alban, why is "managing risk at the speed of the business" a 'suicidal business decision'?

    Every time you make a decision it involves managing risk.

Leave a Reply