Ideagen advert Workiva advert TeamMate

Risk management

What is risk management and how does it relate to internal audit? This is a brief introduction to the topic, explaining some of the terms and linking to resources that will help your research.

Defining risk, risk management and ERM
The role of internal audit in risk management
FRC's latest guidance
Risk appetite
Risk culture - resources for practitioners
Competition law risk

Defining risk, risk management and ERM

The IIA's International Standards define a risk as 'the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.'

For most organisations, risk management is concerned with positive and negative aspects of risk. So as well as managing things that could have an adverse impact (downside risk) it also looks at potential benefits (upside risk). It can be applied holistically, and also be used on specific activities, from the strategic to the operational.

In organisations, risk management is central to good governance. Enterprise risk management (ERM) describes what happens when organisations put in place a structured, continuous process to identify, manage and respond to risk.

However although ISO 31000 has recently gained wider recognition, there is no universally recognised definition or approach to risk management and ERM. The subject is too diverse and its applications too broad.

The list below links to different standards and frameworks related to risk management and ERM (some of which require a purchase). Each provides a way of categorising risk to help you identify, assess and evaluate it. The different categories of risk can be used to tailor an approach that suits your organisation. 

Read our guide on how to choose between the different standards

The role of internal audit in risk management

The IIA position paper on the role of internal audit in enterprise-wide risk management explains the various roles that internal audit can perform depending how mature an organisation's risk management culture is. 

We explain the related concept of risk-based internal audit in risk based internal auditing. This sets out methodologies for assessing an organisation's risk maturity, and preparing periodic audit plans and assurance engagements. 

FRC's latest guidance published September 2014 

The Financial Reporting Council (FRC) has published new guidance on risk management, internal control and related financial and business reporting. It reflects changes made to the UK Corporate Governance Code. This guidance revises, integrates and replaces two of its earlier publications:

  • Internal Control: Revised Guidance for Directors on the Combined Code 
  • Going Concern and Liquidity Risk: Guidance for Directors of UK Companies

Read the FRC's new guidance

Risk appetite

It can be difficult to arrive at a consensus given the range of attitudes that may exist towards risk taking. Defining a risk appetite assumes there is a clear understanding of what success looks like for the organisation, which may not be immediately apparent or universally recognised and agreed.

Read our guide to risk appetite and internal audit

Risk culture

Problems with risk culture are often blamed for organisational difficulties. IRM's publication aims to help organisations have a better understanding of their own risk culture: why do individuals, groups and organisations behave the way they do? It also gives some practical tools you can use to drive change.

Download IRM's guide to risk culture - resources for practitioners

Competition law risk

The IRM has published a short guide in association with the new Competition Markets Authority (CMA) on the risks of contravening UK competition law. Chapter six focuses on how to ensure your business is compliant with a risk based approach.

Download IRM's guide to competition law risk

The CMA has also published a 60 second summary, Competition Law: advice for internal auditors along with compliance at-a-glance and compliance checklist.

Download CMA's:

Advice for internal auditors 
Compliance at-a-glance
Compliance checklist 

Institute of Risk Management guides are published here with kind permission.

Content reviewed: 2 August 2016
Download PDF

Technical question?

Name: Email: