Stages of a risk audit

There are four stages in a risk audit. Together these comprise an audit or review of the risk management of an organisation.

Identification

Identification of risks is the first part of any risk audit.

Risk can be defined as the realised future loss arising from a present action or inaction. Risks come and go with the changing nature of business activity, and with the continual change in any organisation’s environment.

To carry out this identification exercise the auditors would need to interview key staff, likely to be departmental managers, and potentially employees and experts to establish their views of the major risks facing the company.

This exercise could be further supported with analyses of external market data, particularly looking at the markets or businesses upon which the company is so reliant and the long-term impact of any efficiency measures taken to date.

Assessment

Once identified, the next task is to assess the risk.

Each identified risk needs to be measured against two variables: the probability (or likelihood) of the risk being realised; and the impact or hazard (what would happen if the risk was realised). These two intersecting continua can be used to create a probability/impact grid on to which individual risks can be plotted.

This assessment requires a significant amount of judgement on the part of the auditor, and may necessitate input from staff within the business. It may not be possible to assign monetary values to all risks, but an assessment of high or low should be reached.

Review

At the review stage, the auditor analyses the controls that the organisation has in the event of the risk materialising. For example, this could involve looking at contingency plans which the company has initiated.

Where risks have been accepted, a review is undertaken of the effectiveness of planning for measures such as financing, customer support, help lines and so on, should the unavoidable risk materialise.

This review stage can represent a substantial task, as the response to each assessed risk is a part of the review and there may be many risks to consider.

Report

Finally, a report on the review is produced and submitted to the board, probably via the audit committee or to the Risk & Compliance Manager.

The report would list the key risk areas, i.e. those assessed as high (high probability and/or high impact), and for each of the risks would discuss the effectiveness of the existing controls in place.

For any ineffective areas that expose the business to potential losses, the auditor will most likely recommend courses of action that may be taken to improve risk management.