The IIA published a Practice Guide, Assessing the Risk Management Process, in 2019. It is recommended guidance and not mandatory. What is mandatory in the IIA Standards is performing an assessment, and this Practice Guide (PG) is intended as helpful advice on how to do it. (While the Standards say that you must perform an assessment, I am assured that you don’t need to do so every year (regardless of the actual words used) when the risk is low – for example, if it was assessed and found effective the prior year.)
The PG starts well:
Around the world, risk management activities and initiatives are required and expected by regulators, rating agencies, and a host of other stakeholders in major industries including financial services, government, manufacturing, energy, health services, and more. However, risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.
Internal auditors must evaluate the effectiveness and contribute to the improvement of risk management process (Standard 2120 – Risk Management). Benchmarking the current state of the…
