The current internal auditing standards from the IIA (not the draft update) require internal auditors to assess the adequacy of management’s risk management processes.
That sounds fine, but why?
Don’t do something just because the standards dictate it: there has to be a good business reason.
In this case, the reason is that if management does not have an adequate set of processes for understanding and addressing what lies ahead (i.e., both the potential positive and negative effects of risk – see below), they are not assured of making the right business decisions to achieve their objectives.
In other words, inadequate risk management (failing to understand and consider what might happen) is itself a source of risk to objectives.
If management is not making business decisions, both periodic and daily strategic and tactical decisions, with a reasonable understanding of what may lie ahead, is it likely they are making the right decisions? (I refer to them as “informed and intelligent decisions”.)
Note that I am not talking about risk as being limited to the downside, even though most “lists of risks” published by consultants (and the IIA) only talk about bad things that might happen.
Both COSO and ISO, and corporate governance codes such as the South African King IV report, define risk as having…
