Assessing the Risk Management Process

Risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.

Internal auditors must evaluate the effectiveness and contribute to the improvement of risk management process (Standard 2120 – Risk Management). Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity. This information also enables internal auditors to appropriately tailor each engagement, taking into account the maturity of the area or process under review.

This guidance provides examples of risk management maturity models and a basic methodology internal auditors may use to provide independent assurance that the organization’s risk management process is effective. Applying the guidance will help internal auditors protect and enhance organizational value and fulfill the expectations of the board and senior management.