How do you audit a risk management program?

With so many risk management standards and government regulations out there that require risk assessments, how should internal audit evaluate the effectiveness of your organization’s risk management program?  How would you apply any one of these frameworks to an audit?  How do you meet the reporting requirements of so many external stakeholders from regulators to investors to customers to rating agencies?

Challenges with using risk management frameworks:

  • Many standards to choose from: COSO, ISO 31000, Solvency II, etc
  • Recommendations aren’t directly actionable and are vaguely defined
  • No concept of improvement over time
  • Standards are lengthy and abstract

None of these standards have clear auditor guidelines, review requirements, or control recommendations. Because of this, some auditors have begun using risk maturity models developed by consultants, however these models tend to be externally focused on compliance rather than centering around achieving an organization internal goals and performance.

This is where the proven framework known as the  RIMS Risk Maturity Model comes into the auditing process.

The RIMS Risk Maturity Model is a collection of best-practices taken from each of the major ERM standards. For each of these criteria it provides clear and actionable activities to achieve these standards as well as risk metrics to track the effectiveness of achievement.  The RIMS Risk Maturity Model has been proven to correlate with better business performance as risk maturity increases.

How does internal audit use the RIMS Risk Maturity Model to review risk management?

The RIMS Risk Maturity Model has requirements for five levels of risk maturity for each of 68 core competencies that roll up to 25 success factors, 7 underlying attributes, and one final score.

This allows auditors to quickly assess their organization’s risk management program, identify the top findings that require remediation, and make actionable and practical recommendations with the companion practitioner’s guide.

Review your organization’s enterprise risk management program with clear requirements, clear recommendations, and a focus on your organization’s strategy and achieving results.

Take a tour of the RIMS Risk Maturity Model Assessment today and see how intuitive auditing risk management can be.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!