How Do You Audit a Risk Management Program?

With so many risk management standards and government regulations out there that require risk assessments, how should internal audit evaluate the effectiveness of your organization’s risk management program?  How would you apply any one of these frameworks to an audit?  How do you meet the reporting requirements of so many external stakeholders from regulators to investors to customers to rating agencies?

Challenges with using risk management frameworks:

• Many standards to choose from: COSO, ISO 31000, Solvency II, etc
• Recommendations aren’t directly actionable and are vaguely defined
• No concept of improvement over time
• Standards are lengthy and abstract

None of these standards have clear auditor guidelines, review requirements, or control recommendations. Because of this, some auditors have begun using risk maturity models developed by consultants, however these models tend to be externally focused on compliance rather than centering around achieving an organization internal goals and performance.

This is where the proven framework known as the Risk Maturity Model comes into the auditing process.

The Risk Maturity Model is a collection of best-practices taken from each of the major ERM standards. For each of these criteria it provides clear and actionable activities to achieve these standards as well as risk metrics to track the effectiveness of achievement.  The Risk Maturity Model has been proven to correlate with better business performance as risk maturity increases.

How does internal audit use the Risk Maturity Model to review risk management?

The Risk Maturity Model has requirements for five levels of risk maturity for each of 68 core competencies that roll up to 25 success factors, 7 underlying attributes, and one final score.

This allows auditors to quickly assess their organization’s risk management program, identify the top findings that require remediation, and make actionable and practical recommendations with the companion practitioner’s guide.

Review your organization’s enterprise risk management program with clear requirements, clear recommendations, and a focus on your organization’s strategy and achieving results.