What is risk management and how does it relate to internal audit? This is a brief introduction to the topic, explaining some of the terms and linking to resources that will help your research.
The IIA's International Standards define a risk as 'the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.'
For most organisations, risk management is concerned with positive and negative aspects of risk. So as well as managing things that could have an adverse impact (downside risk) it also looks at potential benefits (upside risk). It can be applied holistically, and also be used on specific activities, from the strategic to the operational.
In organisations, risk management is central to good governance. Enterprise risk management (ERM) describes what happens when organisations put in place a structured, continuous process to identify, manage and respond to risk.
However although ISO 31000 has recently gained wider recognition, there is no universally recognised definition or approach to risk management and ERM. The subject is too diverse and its applications too broad.
The list below links to different standards and frameworks related to risk management and ERM (some of which require a purchase). Each provides a way of categorising risk to help you identify, assess and evaluate it. The different categories of risk can be used to tailor an approach that suits your organisation.
- Institute of Risk Management/AIRMIC/Alarm - A Risk Management Standard
- COSO (2011) Embracing ERM: getting started
- COSO (2011) Developing key risk indicators
- Managing risk in government - NAO 2011
- HM Treasury Guidance Orange Book: Management of Risk - Principles and Concepts
- HSE - Principles of Sensible Risk Management
- ISO/FDIS 31000 Risk Management - Principles and guidelines
- AS/NZS ISO 31000: 2009 Risk Management
Read our guide on how to choose between the different standards
The IIA position paper on the role of internal audit in enterprise-wide risk management explains the various roles that internal audit can perform depending how mature an organisation's risk management culture is.
We explain the related concept of risk-based internal audit in risk based internal auditing. This sets out methodologies for assessing an organisation's risk maturity, and preparing periodic audit plans and assurance engagements.
The Financial Reporting Council (FRC) has published new guidance on risk management, internal control and related financial and business reporting. It reflects changes made to the UK Corporate Governance Code. This guidance revises, integrates and replaces two of its earlier publications:
- Internal Control: Revised Guidance for Directors on the Combined Code
- Going Concern and Liquidity Risk: Guidance for Directors of UK Companies
It can be difficult to arrive at a consensus given the range of attitudes that may exist towards risk taking. Defining a risk appetite assumes there is a clear understanding of what success looks like for the organisation, which may not be immediately apparent or universally recognised and agreed.
Read our guide to risk appetite and internal audit
Problems with risk culture are often blamed for organisational difficulties. IRM's publication aims to help organisations have a better understanding of their own risk culture: why do individuals, groups and organisations behave the way they do? It also gives some practical tools you can use to drive change.
Download IRM's guide to risk culture - resources for practitioners
The IRM has published a short guide in association with the new Competition Markets Authority (CMA) on the risks of contravening UK competition law. Chapter six focuses on how to ensure your business is compliant with a risk based approach.
Download IRM's guide to competition law risk
The CMA has also published a 60 second summary, Competition Law: advice for internal auditors along with compliance at-a-glance and compliance checklist.
Institute of Risk Management guides are published here with kind permission.