You can’t audit what you don’t understand.
That doesn’t mean you have to be an expert with years of experience as a risk practitioner.
But you have to know enough about risk management to be able to assess whether it is effective.
X
What does “effective” mean?
It means, in my opinion, that it meets the needs of the organization.
Unfortunately, too many see it as about managing or mitigating the downside of risk, rather than knowing how much risk to take. They use risk registers and heat maps and call that effective risk management. It’s not. These are not tools that help people make informed and intelligent decisions that enable the achievement of enterprise objectives.
Any assessment of risk management has to be broader and more useful to leaders of the organization.
X
If you pass the IIA’s exam and hold a Certification in Risk Management Assurance (CRMA), a certification I hold, does that mean you have the knowledge you need to audit risk management?
Certainly not. Many have those initials after their name but don’t have more than rudimentary knowledge.
X
How do you gain sufficient knowledge?
There are good books on the topic (of course, I recommend my own: World Class Risk Management, Risk Management in Plain English, and Risk Management for Success). Others can add their favorites in the…
