GUEST BLOG POST
As the saying goes, you can’t audit what you don’t understand. And for auditing complex risk management processes, that idea can hit home for many internal auditors. That doesn’t mean you have to be an expert with years of experience as a risk practitioner to audit risk management, but you do have to know enough about risk management to be able to assess whether it is effective.
So, what does “effective” mean when it comes to auditing risk management? It means, in my opinion, that it meets the needs of the organization. Unfortunately, too many see it as about managing or mitigating the downside of risk, rather than knowing how much risk to take. They use risk registers and heat maps and call that effective risk management. It’s not. These are not tools that help people make informed and intelligent decisions that enable the achievement of enterprise objectives. Any assessment of risk management has to be broader and more useful to leaders of the organization.
If you pass the Institute of Internal Auditors’ exam and hold a Certification in Risk Management Assurance (CRMA), a certification I hold, does that mean you have the knowledge you need to audit risk management? Certainly not. Many have those initials after their name but don’t have more than rudimentary knowledge.
Gaining Risk Management Expertise
So, how do you gain sufficient knowledge? There are several good books on the topic. (Of course, I recommend my own: World Class Risk Management, Risk Management in Plain English, and Risk Management for Success). Others can add their favorites in the comments.
A number of organizations also provide training on risk management. But be careful to sign up only for classes that discuss both downside risks and upside opportunities. (ISO 31000 includes both the upside and downside effects of uncertainty in their definition of risk). Too many of these instructional programs teach and practice risk management as the mitigation of the downside of risk, rather than how to make informed and intelligent decisions and how to take the right level of risk.
See Related Article, “Factors Frequently Overlooked in Risk Assessments.”
You can also engage an expert to partner with you on the audit. That is what I did when we needed to audit the use of derivatives at Tosco Corp.
Informing Better Decision Making
Effective risk management needs to be practiced in every nook and cranny of the organization, with a focus on enabling the decisions that matter and addressing the more significant risks (and risk includes “opportunities”) to the achievement of enterprise objectives.
Risk management should include how objectives and strategies are set, as well as how the organization executes to achieve them. Every decision relies on understanding what might happen (my preferred definition of risk) under each scenario.
It includes not only avoiding harms, but also seizing opportunities—making the right business decisions. Sometimes, it is right to take more downside risk to gain upside potential. It is also not about the activities of any risk office. It is about the activities of every decision-maker in the organization.
Break it Down into Manageable Pieces
An audit that seeks to provide an opinion on the effectiveness of risk management would be a massive endeavor. It would almost be like assessing whether the system of internal control of the organization is effective, given that risk is both created and treated in every decision—both strategic and tactical.
We break down audits of internal control into manageable chunks. Each audit addresses one or more small pieces. The same can be done with risk management. Break it down into manageable chunks, such as:
- Risk reporting to and discussion by the board
- Supply chain risk management
- Inventory risk management
- Safety risk management for the Liverpool plant, for example.
- Competitor risk management
- Major project risk management
- Quality risk management in Guadalajara, for example.
Identify the possible engagements and risk rank them (the risk to enterprise objectives if risk management is poor, combined with the likelihood that the risk management is insufficient).
I haven’t written a book on the topic, although I might take on the massive project at a later date, but I have provided a road map, especially in Risk Management for Success. My advice to anybody wanting to audit risk management is to use the maturity model in the book. It is extensive.
I am a big fan of using maturity models in auditing topics like this, as the opinion will be on where the organization’s maturity level is rather than whether it is effective or not.
I welcome your own thoughts on the topic. Please leave your views and ideas on auditing risk management in the comments section below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
In the finance department we have 6 commonly risk we know. 1. Irregular expenditure
2.unauthorized expenditure
3. Wasteful and fruitless
Expenditure
4. Overspending etc
Yes I also agree that internal auditors must understand the organization and its environment.