Internal auditors are expected, according to the IIA Standards and some governance codes, to assess the effectiveness of risk management.
That can be a challenge, especially as:
- There is no commonly accepted idea of what effective risk management is.
- While both the COSO ERM framework and the ISO 31000 standard provide principles for effective risk management, neither (in my opinion) is sufficient.
- Few organizations are seen as having effective risk management, so there is no exemplar against which to measure. (The majority of organizations manage the potential for failure, not the likelihood of success – the gold standard of what is commonly called risk management.)
My good friend, Alex Sidorenko has given this challenge a valiant try in his recent video. (I encourage you to follow him as he challenges traditional thinking – something we should all do.)
3 things to look for when auditing risk management identifies three areas to assess:
- Organizational performance compared to prior years, industry benchmarks, and so on
- How well the company makes decisions. Is risk information integrated with how decisions are made?
- Culture, including risk-related policies and procedures and attitudes towards risk
Taking each in turn, organization performance is a poor indicator of effectiveness. Many succeed simply by being…
